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Abstract 

A pattern of interaction that arises again and again in programming, 
is a “handshake”, in which two agents exchange data. The exchange is 
thought of as provision of a service. Each interaction is initiated by a 
specific agent —the client or Angel, and concluded by the other —the 
server or Demon. 

We present a category in which the objects —called interaction struc¬ 
tures in the paper— serve as descriptions of services provided across such 
handshaken interfaces. The morphisms —called (general) simulations— 
model components that provide one such service, relying on another. The 
morphisms are relations between the underlying sets of the interaction 
structures. The proof that a relation is a simulation can serve (in princi¬ 
ple) as an executable program, whose specification is that it provides the 
service described by its domain, given an implementation of the service 
described by its codomain. 

This category is then shown to coincide with the subcategory of “gen¬ 
erated” basic topologies in Sambin’s terminology, where a basic topology 
is given by a closure operator whose induced sup-lattice structure need 
not be distributive; and moreover, this operator is inductively generated 
from a basic cover relation. This coincidence provides topologists with a 
natural source of examples for non-distributive formal topology. It raises 
a number of questions of interest both for formal topology and program- 

The extra structure needed to make such a basic topology into a real 
formal topology is then interpreted in the context of interaction structures. 
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1 Introduction, preliminaries and notation 


Programmers rarely write self-standing programs, but rather modules or com¬ 
ponents in a complete system. The boundaries of components are known as 
interfaces, and these usually take the form of collections of procedures. Com¬ 
monly, a component exports or implements a “high-level” interface (for example 
files and directory trees in a file system) by making use of another “low-level” 
interface (for example segments of magnetic media on disk drives). There is, 
as it were, a conditional guarantee: the exported interface will work properly 
provided that the imported one works properly. 

One picture for the programmer’s task is therefore this: 


Export 


Output 


<= Import 


The task is to “fill the box”. In this picture the horizontal dimension shows 
interfaces. The exported, higher-level interface is at the left and the imported, 
lower-level interface at the right. The vertical dimension shows communication 
events (calls to and returns from procedures), with data flowing from top to 
bottom: c and r communicate data from the environment, while r and c com¬ 
municate data to the environment. The labels c (for command or call) and r 
(for response or return) constitute events in the higher level interface, while c 
and f are at the lower level. The pattern of communication is that first there is 
a call to the command c, then some number of repetitions of interaction pairs 
cf, then finally a return r. 

The picture this gives of the assembly of a complete system is that one has a 
series of boxes, with input arrows linked to output arrows by a “twisted pair of 
wires” reminiscent of the Greek letter “x”. This is indeed a kind of composition 
in the categorical sense, where the morphisms are components. The paper is 
about this category. 



How can we describe interfaces? Interface description languages (such as IDL 
from http://www.omg.org/) commonly take the form of signatures, i.e. typed 
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procedure declarations. The type system is “simply typed”, and it is used in 
connection with encoding and decoding arguments for possible remote trans¬ 
mission. It addresses other mechanistic, low-level and administrative issues. 
However an interface description ought to describe everything necessary to de¬ 
sign and verify the correctness of a program that uses the interface, without 
knowing anything about how it might be implemented. It should state with 
complete precision a contract, or in Dijkstra’s words a “logical firewall” between 
the user and implementer of an interface. 

We define this category in (essentially) Martin-Lof’s type theory, a construc¬ 
tive and predicative type theory in which the type-structure, is sufficiently rich 
to express specifications of interfaces with full precision. One reason for work¬ 
ing in a constructive type theory is that a model for program components in 
such a setting is ipso facto a “working” model. In principle, one may write 
executable program components in this framework, and exploit type-checking 
to ensure that they behave correctly. In practice, one has to code programs in 
real programming languages. Nevertheless, one can perhaps develop programs 
in a dependently typed framework, using type-checking to guide and assist the 
development (as it were a mental prosthesis), run the programs to debug the 
specifications, and then code the programs in a real programming notation. 

Our model is constructed from well-known ingredients. Since the seminal 
work of Floyd, Dijkstra and Hoare [12, 10, 20] there has been a well established 
tradition of specifying commands in programming languages through use of 
predicate transformers, and roughly speaking the objects of our category are 
predicate transformers on a state-space. Equally well established is the use 
of simulation relations to verify implementations of abstract data types, and 
roughly speaking, the morphisms of our category are simulation relations, or 
more precisely, relations together with a proof that they are simulations. The 
computational content of a simulation is contained in this (constructive) proof. 

However, the “natural habitat” of the notions of predicate transformer and 
simulation is higher-order (impredicative) logic. To express these notions in a 
predicative framework, we work instead with concrete, first-order representa¬ 
tions in which their computational content is made fully explicit. Again, the 
key ideas are fairly well-known, this time in the literature of constructive math¬ 
ematics and predicative type theory. Our contribution is only to put them to 
use in connection with imperative programming. 

Finally, our excuse for submitting a paper on programming to a conference 
on formal topology is that our category of interfaces and components turns 
out to coincide almost exactly with the category of basic topologies and basic 
continuous relations in Sambin’s approach to formal topology. At the least, one 
can hope that further development of this approach to program development 
can benefit from research in the field of formal topology. One may also hope 
that work in formal topology can benefit in some way from several decades of 
intensive research in the foundations of imperative programming and perhaps 
even gain a new application area. 

1.1 Plan of the paper 

The first main section (2) begins with two ways in which the notion of subset can 
be expressed in type theory. Then set up some machinery for dealing with binary 
relations, to illustrate how our notions of subset have repercussions on higher 
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order notions. In essence, we obtain besides the ordinary notion of relation a 
more computationally oriented notion of transition structure, that pre-figures 
our representation of predicate transformers. 

The next two sections (3 and 4) concern the notion of monotone predicate 
transformer. In the first of these sections (3), we review the notion of predi¬ 
cate transformer as it occurs in the theory of inductive definitions and in the 
semantics of imperative programming. The main points here are that predi¬ 
cate transformers form a complete lattice under pointwise inclusion, that they 
possess also a monoidal structure of sequential composition, and moreover that 
there are two natural forms of “iteration”. Section 4 is devoted to a predicative 
analysis of the notion of predicate transformer. This exploits the distinction 
drawn in section 2 between our two forms of the notion of subset. We represent 
predicate transformers by objects called interaction structures, and show that 
our representations supports the same algebraic structure. 

The objects of our category are interaction structures over a set of states. 
The next section (section 5) is about morphisms between these objects. It is 
convenient to unfold our answer in three stages. In the first step we define a 
restricted notion of linear simulation (that is indeed connected with the linear 
implication of linear logic) for which an interaction in the domain is simulated 
by exactly one interaction in the codomain. In the second step, we move to the 
Kleisli category for a monad connected with the reflexive and transitive closure 
of an interaction structure; we call the morphisms in the Kleisli category general 
simulations. In the third and last step, taking a hint from formal topology, we 
take a quotient of general simulations, by passing to the saturation of a relation. 
The last step captures the idea that two relations may have the same simulating 
potential, modulo some hidden interactions. 

Up to this point, the constructions have been motivated by considerations 
from imperative programming. In section 6, we examine the connection with 
formal topology. Firstly, our category of interaction structures and general 
morphisms corresponds exactly to Sambin’s category of inductively defined basic 
topologies. Secondly, formal topology goes beyond basic topology by adding a 
notion of convergence, that allows for an analysis of the notion of point. The 
remainder of section 6 is concerned with a tentative interpretation of this extra 
structure. 

We conclude with some questions raised in the course of the paper, and 
acknowledgment of some of the main sources of our ideas. 

1.2 Mathematical framework(s) 

We work in a number of different foundational settings, that we have tried to 
stratify in the following list. 

• At the bottom, the most austere is Martin-Lof’s type theory ([29, 32]), 
with a principle of inductive definitions similar to that used by Petersson 
and Synek in the paper [33], with certain forms of universe type, but 
without any form of propositional equality. 

Our category of interfaces and components can be defined using only pred¬ 
icative type theory with inductive definitions. In fact the category has 
been defined and its basic properties proved in such a theory using the 
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Agda “programming” language ([8]). The proof scripts can be found at 
http://iml.univ-mrs.fr/^hyvernat/academics .html. 

• To this we add rules for propositional equality, which is necessary to round- 
out the programming environment to a language for fully constructive 
(intuitionistic and predicative) mathematics. 

This is not the right place to try to analyze the notion of equality, in any 
of its manifestations: definitional, propositional, judgmental, intensional, 
extensional and so on. It is however a source of non-computational phe¬ 
nomena in type theory, and the history of predicative type theory (if not 
also its future) is one of a constant struggle with this notion. We wish to 
carefully track the use of the equality relation (and cognate notions such 
as singleton predicate). That is we prefer to work with “pre-sets” rather 
than “setoids” [21]. 

• We also add a principle for coinductive definitions. The foundations of 
coinduction in predicative mathematics are not yet entirely clear. We 
simply use co-inductive definitions in the most “straightforward” way, 
meaning by this that our constructs seem to make good computational 
sense. One reference for the kind of coinductive definitions we will use can 
be found in [19]. 

• At various points, it seems necessary to relax the stricture of predicativity. 
In particular, we invoke the Knaster-Tarski theorem. This lacks a strictly 
predicative justification. Since we are trying to devise computationally- 
oriented analogues of certain impredicative constructions, it is necessary 
to look at matters from the impredicative point of view, if only for com¬ 
parison. 

• Finally, at the highest or most abstruse level, we shall occasionally make 
use of classical, impredicative reasoning, thus going beyond any straight¬ 
forward computational interpretation. Working at this level Hyvernat 
([23, 22]) has identified surprising connections between an impredicative 
variant of our category and classical linear logic, even of second order. 

1.3 Type theoretic notation 

Our notation is based (loosely) on Martin-Lof’s type theory, as expounded for 
example in [29, 32]. In the paper we call this simply “type theory”. 

• To say that a value v is an element of a set S, we write v £ S. On the 
other hand, to say that o is an object of a proper type T (such as Set, the 
type of sets), we write o : T. 

• We use standard notation as in, for example [29, 32], for indexed cartesian 
products and disjoint unions. This is summarized in the following table: 



product 

sum 

dependent version 

(nag A)B{a) 

(Sag A)B(a) 

non-dependent 

A^B 

AxB 

element in normal form 

(A aeA)b 

(a,b ) 
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We iterate those constructions with a comma. Using the Curry-Howard 
isomorphism, we might also use the logical V and 3 as notations for II 
and E. 

We use the same notation at the type level. 

• Instead of the binary disjoint union A + B, we prefer to use a notation in 
which constructors can be given mnemonic names, as is common in pro¬ 
gramming environments based on type theory. For example, the disjoint 
union A + B itself could be written data ino(a £ A) | ini(6 £ B). As the 
eliminative counterpart of this construction, we use pattern matching. 

We also use ad-lib pattern matching in defining functions by recursion, 
rather than explicit elimination rules (recursors, or “weakly initial ar¬ 
rows”). 

• We use simultaneous inductive definitions of a family of sets over a fixed 
index-set (as in [33, 32]), with similar conventions. 

At an impredicative level, we will make use of /^-expressions for inductively 
defined sets, predicates, relations, and predicate transformers. 

2 Two notions of subset 

We will be concerned with two notions of subset, or more accurately two forms 
in which a subset of a set S may be given: 

{s£S\U(s)} or {f(i) | i 6 /} . 

The first we call “predicate form” —U is a predicate or propositional function 
with domain S. The second we call “indexed form”, or “family form” —/ is a 
function from the index set I into S. Other terminology might be “comprehen¬ 
sion” versus “parametric”, or “characteristic” versus “exhaustive”. 

For example, here are two ways to give the unit circle in the Euclidean plane: 
(note that we do not require in indexed form that the function / is injective) 

{ (x, y) £ M 2 | x 2 + y 2 = 1} or { (sin 9, cos 9) \ 9 £ M } . 

Of course, what we write in one form we may write in the other: 

{ 8 | (s, _) £ (E S £ S) U(s) } ; (predicate rewritten as family) 

{ a e s I (3$ € I) s =s f(l) } . (family rewritten as predicate) 

To turn a predicate into an indexed family, we take as index the set of proofs 
that some elements satisfy the predicate, and for the indexing function the first 
projection. To turn an indexed family into a predicate, we make use of the 
equality relation “=s” between elements of S, and in essence form the union of 
a family of singleton predicates: (J ieJ {/«}• 

So it may seem that what we have here is a distinction without any real 
difference. Note however that the essence of a predicate is a (set-valued) function 
defined on S, while the essence of an indexed family is a function into S, so that 
there is a difference in variance. To make this clear, let us define two functors 
which take a set S to the type of predicate-form subsets of S, and to the type 
of indexed-form subsets of S. 
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Definition 1 Define the following operations: 

• Pow(S) » S —> Set, where we may write U : Pow(S) as { s £ S \ U(s) }; 
and if f £ Si —> S2, then 

Pow{f ) : Pow(S 2 ) -*• Pow(Si) 

U w {siGS 1 ! | U(f(si)) } 

We write U C S as a synonym for U : Pow(S). Note that Pow(f) is 
usually written f~ l . 

• Fam(S) = (£/: Set) S —> 7, where we may write ( I,x) : Fam(S) as 
{ x(i ) | i 6 / }; and if f £ Si S 2 , then 

Fam(f) : Fam(Si) —> Fam(S 2 ) 

{x(i) | i e 7 } m. {/(*(«)) Me/} 

The first functor is contravariant, while the second is covariant. So the distinc¬ 
tion we have made corresponds after all to a well-known (even banal) difference. 

In a predicative framework, both these functors cross a “size” boundary: 
they go from the category of (small) sets to the category of (proper) types. In 
fact these functors can be extended to endo-functors at the level of types, going 
from the category of (proper) types to itself. Remark however that the transla¬ 
tions between subsets and families can not be carried out in either direction at 
the level of types. 

• Going from families to subsets would require a propositional (i.e. set¬ 
valued) equality relation between the objects of arbitrary types, rather 
than merely between the elements of a set. 

• Going from a propositional function defined on a type to an indexed family 
is in general impossible since we require the indexing set to be ... a set. 

This will become important when we iterate or compose our two variants of the 
power-functor. 

If we call into question, or try to work without the idea of a generic notion 
of propositional equality, the two notions of subset fall into sharp relief. In basic 
terms, the intuition of the distinction is that a family is something computa¬ 
tional, connected with what we “do” or produce. On the other hand, a predicate 
is something specificational, connected with what we “say” or require. 

How does the algebraic structure of predicates compare with that of indexed 
families? As for predicates, the situation is the normal one: if we interpret the 
logical constants constructively, they form a Heyting algebra. With the equality 
relation, the lattice is atomic, with singleton predicates for atoms. The inclusion 
and “overlap” relations axe defined as follows: 

Definition 2 Let U and V be two subsets of the same set S; define: 

• s eU = U(s) (i.e. s eU iff “U(s) is inhabited”); 

• U cv = (Us £ S)U(s) ^V(s); fis. (v*e S) seV ^seV) 

• UQV = (E a £ S) U(s ) A V(s). 

The importance of jj in a constructive setting has been stressed by Sambin: it 
is a positive version of non-disjointness, dual to inclusion. 


Remark. The confusion between the two meanings of !! C” can always be resolved 
(“C” is a synonym for _ : Pow(J) and denotes inclusion of subsets). For a full account 
of traditional set theoretic notions in “subset theory”, we refer to [39]. Here are two 
examples: 

• ■S'fuU = | T } contains all the elements of S. We write it simply S ; 

• U X V = { (s, s') E S X 5 | s eU and s' eV}. 

What now about families? In the presence of equality, which allows us to 
pass from a family to the corresponding predicate, their algebraic structure is 
the same as that of predicates. However, if we abstain from use of equality, the 
situation is as follows. The construction of set indexed suprema can be carried 
through 


Ui 6 ,{/*(*) Meii} 4 {/,(*) ( af)e(Eie/)T i } , 

which gives a sup-lattice. Additionally for any s £ S we can form the singleton 
family { s \ i £ 1} taking for I any non-empty set. 

We cannot say that an element of S belongs to a family { f(i) \ i £ I}. Still 
less can we say that one family includes another, or overlaps with it (as this 
requires an equation). What we can state however is that a family is included 
in a predicate, or that it overlaps with it: 

{f(i)\i£l}CU = (Vie/)[/(/(*)) ; 
{f{i)\i£l}§U ± (3 

To summarize, predicates have a rich algebraic structure. In contrast, the 
structure of families is impoverished, supporting only suprema operations of 
various kinds. To compensate, we have a concrete, computational form of the 
notion of subset. 

2.1 The general notion of binary relation 

A binary relation between two sets Si and S 2 is a subset of the cartesian product 
S-i x S-2, or to put it another way, a function from Si to subsets of S 2 : 

Pow(Si x S 2 ) = (Si x S 2 ) -* Set 
~ Si^(S 2 ^Set) 

= S! Pow(S 2 ) . 

We will leave implicit the isomorphism (“currying”) between the two versions. 
There are thus two ways to write “si and s 2 are related through R C Si x S'a”: 
either “(si,S2) e R” or l ‘s 2 e J?(si)”. 

Because relations are subset valued functions, they inherit all the algebraic 
structure of predicates pointwise. Additionally, we can define the following 
operations. 

R C Si x S 2 A 

Converse: - with (s 2 , Si) e R~ = (si, s 2 ) e R . 

R~ CS 2 x Si 

Equality: eq C S x S with eq(s) = {s} . (Th is requires equality!) 



Composition: 


Q C Si x S 2 RCS 2 xS 3 
Q 5 R C Si x S 3 

with (s 1; s 3 ) e (Q ? i?) = (3s 2 G S 2 ) (si, s 2 ) £ Q and (s 2 , s 3 ) e R . 


Reflexive and transitive closure: - 

R* cSxS 

with R* = eq U R U (R ° 9 R) U R 3 U . . . (inductive definition) 

Note that the “reflexive” part requires equality to be definable. 

Post and pre-division: 


Q C Si x S 3 R C S 2 X S 3 
(Q / R) c Si x S 2 

with (si,s 2 ) e (Q / R) = i?(s 2 ) C Q(si) ; 


Q C S ± x S 3 R C S! x S 2 
(R\Q)CS 2 xS 3 


with (R\Q) = {Q~/R~)~ 


These operators satisfy a wealth of familiar algebraic laws, from which we want 
to recall only the following. 

• Composition and equality axe the operators of a monoid. Composition is 
monotone in both arguments, and in fact commutes with arbitrary unions 
on both sides. 

• Post-composition (_ | T2) is left-adjoint to post-division (_ / R,): similarly, 
pre-composition (i£, _) is left-adjoint to pre-division (R. \ _). 

• Converse is involutive and reverses composition: (Q ? = i?~ 5 Q rJ . 

• For each function / G S\ —> S 2 , its graph relation gr / C S-i x S 2 sat¬ 
isfies both eq Sl C (gr/) 5 (gr/)~ (totality), and (gr/)~ , gr / C eq S2 
(determinacy). 


2.2 Transition structures 

What happens to the notion of a binary relation if we replace the contravariant 
functor Pow(-) with the co-variant functor Farn{ )? This gives two candidates 
for a computational representation of relations: 

Fam(Si X S 2 ) and Si —► Fam(S 2 ) . 

• In more detail, an object of the first type consists of a set I, together with 
a pair of functions with I as their common domain: / G I —> Si and 
g G I —> S 2 . Such a pair is commonly known as a span. 

• On the other hand, an object T of the second type consists of a function F 
which assigns to each s G Si a family of S 2 ’s, that we may write 

F(s) = {n(s,t) | teA(s)} . 
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Where A : Si —> Set and n E (II si € Si) A(si) S 2 . We call this a 
transition structure. When no confusion arises, we write “s[a]” instead of 
“n(s, a)”. 


In contrast with the situation with relations, any isomorphism that can 
be defined between spans and transition structures seems to require use of an 
equality relation. Transition structures are inherently asymmetric. There is 
a genuine bifurcation between spans and transition structures. In this paper 
we shall be concerned only with transition structures. To some extent, the 
relationship between spans and transition structures remains to be explored. 

Transition structures sometimes provide a more appropriate model than re¬ 
lations for “asymmetric” situations in which one of the terms of the relation has 
priority or precedence in some sense. 

• The notion of an occurrence of a subexpression of a first-order expression 
can be represented by a transition structure on expressions, in which the 
set A(s) represents the set of positions within s, and s[a] represents the 
subexpression of s that occurs at position a. 

• In general rewriting systems, an expression is rewritten according to a 
given set of rewriting rules. In state s, each rule can be represented by an 
a £ T(,s), where s [a] is the result of the rewriting of s by the rule a. 

• A deterministic automaton that reads a stream of characters, changing 
state in response to successive characters can be represented by a transi¬ 
tion structure. In such a case, one usually writes s —*• s' for s[o] = s'. 

In comparison with relations, transition structures have weaker algebraic 
properties. There are transition structure representations for equality relations 
and more generally the graphs of functions, and for indexed unions, composi¬ 
tion, and closure operations such as reflexive and transitive closure: transition 
structures form a Kleene algebra. 

Ti : 5i —> Fam(S 2 ) T 2 : 5 2 -► Fam(S 3 ) 

Composition: - 

(T 1 -,T 2 ):S 1 ^Fam(S 3 ) 

where the components (Tf ; T 2 ).A and (Tf , T 2 ).n of Ti%T 2 are defined as: 

{T\ 9 T 2 ).A(si) = {'Et 1 :T 1 .A($ 1 ))T 2 .A(s l [t 1 j) 

C Ti°,T 2 ).n(tiM ) = (sr[ti])[*a] • 

Identity: eq : 5 —> Fam(S) with T(_) = {*} and «[...] = s. Note that the 
equality relation is not necessary to define this interaction structure. 

The definitions are straightforward, and the reader is encouraged to try the case 
of reflexive and transitive closure for themselves. 

On the other hand, transition structures are not closed under intersection, 
converse, or division. They can however be used as pre-components to relations, 
and as post-divisors of relations. The definitions, which make no use of equality, 
are as follows. 


(a 1 ,8 3 )e(T',R) 

(si,s 2 )e(R/T) 
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T(si) 0 fr( S3 ); 
T(s 2 ) c R( Sl ) . 



(In the first equation, T : Si — > Pam (.$ 2 ) and R C S2 x S3, while in the second, 
R C Si x S 3 and T : S 2 -+ ffam(5 3 ).) 

Note that we can define the relation corresponding to a transition structure 
by precomposing the transition structure to equality: if T : Si —> Fam(S 2 ), 
define T° : Si —> Pow(S2) as T 5 eq s < 2 . 


3 Predicate transformers 

3.1 Motivations and basic definitions 

A predicate transformer is a function from subsets of one set to subsets of 
another: 


Pow(S 2 ) —► Pow(Si) 


Pow(S 2 ) Si -► Set 
( Pow(S 2 ) x Si) —*■ Set 
(Si x Pow(S 2 )) -» Set 
Si -► ( Pow(S 2 ) -► Set) 
Si -f Pow (Pow(S 2 )) ■ 


As these isomorphisms show, from another point of view, a predicate transformer 
is nothing but a higher-order relation (between elements of one set and subsets 
of another). 

Since the mid-70’s, predicate transformers have been used as denotations 
for commands such as assignment statements in imperative programming lan¬ 
guages. Some predicate transformers commonly considered in computer sci¬ 
ence are the weakest precondition operator, the weakest liberal precondition, 
the strongest postcondition (all introduced by Dijkstra), and the weakest and 
strongest invariant of a concurrent program (introduced by Lamport). Per¬ 
haps the most fundamental of these is the weakest precondition. In weakest 
precondition semantics, one associates to a program statement P a predicate 
transformer |P| mapping a goal predicate (which one would like to bring about) 
to an initial predicate (which ensures that execution of P terminates in a state 
satisfying the goal predicate). On the other hand, the weakest liberal precon¬ 
dition is more relevant in connection with predicates which one would like to 
avoid or maintain. 

In an effort to cut down the semantic domain of predicate transformers to 
those that are in some sense executable, various “healthiness” properties 1 have 
been required of predicate transformers. In the 80’s and 90’s reasons emerged 
for relaxing most such restrictions, except for the most basic, monotonicity. In 
explanation of monotonicity, if a goal predicate is weakened (made easier to 
achieve), the corresponding initial predicate should be weakened. More techni¬ 
cally, the Knaster-Tarski theorem is heavily exploited in developing the seman¬ 
tics of recursion and iteration. In the following, the qualification “monotone” 
will be implicit: all predicate transformers will be monotone, except where ex¬ 
plicitly indicated. 

An active field of computer science instigated by Morgan, Morris, Back, 
and von Wright is now founded on the use of monotone predicate transformers 

bike strictness, distribution over intersections, distribution over directed unions 
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not just as a semantic domain for commands, but as a framework for devel¬ 
oping imperative programs from specifications. This field is called “refinement 
calculus”; the canonical reference for the refinement calculus is Back and von 
Wright’s textbook [4]. 

The refinement calculus is a “wide spectrum” language in the sense that 
both programs and specifications are represented by monotone predicate trans¬ 
formers. (In contrast, in type theory programs and specifications lie, roughly 
speaking, on opposite sides of the “€” symbol.) Specifications are manipulated 
into an executable form (acquiring various healthiness conditions), until they 
can be coded in a real programming notation. 

3.2 Algebraic structure 

The lattice structure of predicates lifts pointwise to the level of relations. Anal¬ 
ogously, the lattice structure lifts to the level of predicate transformers: 

• predicate transformers are ordered by pointwise inclusion: 

F C G = “(\/U C S ) F(U) C G(U)” ; 

i.e. “F C G” is a shorthand for the judgment “U C S h F(U) C G(U)” 
and is not an actual proposition or set. 

• they are closed under intersection and union: 

= U* ( F i ( u )); 

(rii^-Ktf) = aw*))- 

The bottom and top of the lattice are conventionally called abort and magic 
respectively. The predicate transformer abort transforms all predicates to the 
empty predicate: it is impossible to achieve anything by use of a resource sat¬ 
isfying abort. On the other hand, magic transforms all predicates to the trivial 
predicate, which always holds. A resource fulfilling the magic specification could 
be used to accomplish anything, even the impossible. 

Just as relations support not only a lattice structure, but also a monoidal 
structure of composition, so it is with predicate transformers. Predicate trans¬ 
formers are of course closed under composition: 

F°,G = F-G; 

and the unit of composition is conventionally called skip: 

skip(t/) = U . 

Both relational and predicate transformer compositions are monotone. The dis- 
tributivity laws satisfied by “§” are however quite different from the case of 
relations. With relations, composition distributes over unions on both sides, 
though not (in general) over intersections. With predicate transformers, com¬ 
position distributes over both intersections and unions on the left, though not 
in general over either intersection or union on the right. 
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3.3 Angelic and demonic update 

Somewhat as a function f £ Si —* S 2 lifts to a relation (gr /) : Si —> Povj(S 2 ), 
so a relation R : Si —> Pow(S 2 ) lifts to a predicate transformer. However in 
this case there are two lift operations. These are conventionally called angelic 
and demonic update. 


R : Si -► Pow(S 2 ) 
(R),[R] : Pow{S 2 ) -► Pow(Si) 


with: 2 

(R)(U) = { Sl e S 1 I R( Sl ) § C/} ; (angelic update) 

[fl](E0 = {Sie^l | R( Sl )CU} . (demonic update) 

Note also that (i2~)(f7) is nothing but the set of states related by R~ to 
states that satisfy U or, in other words, the direct relational image of U under 
R. When there is no danger of confusion, we shall in the following write R{U) 
for (R~)(U) and R for (RT). 

At first sight, the angelic and demonic updates may look a little strange. 
What do they have to do with programming? In two particular cases though, 
they are immediately recognizable, namely when firstly, the relation is included 
in the equality relation on a state-space; and secondly when the relation is the 
graph of a function. 

Assertions and assumptions: when the relation R is a subset of the identity 
relation (which can be identified with a predicate U), the angelic update 
( U) is known as an assertion (that the Angel is obliged to prove), whereas 
the demonic update [U] is known as an assumption (that the Demon is 
obliged to prove). Assertion and assumption satisfy the equivalences: 

(U)(V) = UHV and [U](V) = {s G S \ U(s) -► V(s) } . 
Assignments: because singleton predicates {s} satisfy the equivalences 
{s} 0 U & seU & {s}C17, 

it follows that if / e Si -► S 2 , we have (gr /)([/) ~ U ■ f ~ [gr f](U). 
In this case the predicate transformer commutes with arbitrary intersec¬ 
tions and unions. The canonical example of such an update is the assign¬ 
ment statement x := e where a; is a state variable, and e is a “side-effect 
free” mathematical expression that may refer to the values of other state 
variables. This is interpreted as the “substitution” predicate transformer 
U h{sc S I f(s ) e U }, where / £ S —» S is the function that maps a 
state s to the state s' in which all variables except x have the same value 
as in s, and the value of x in s' is the denotation of the expression e in 
state s. 3 

2 Note that we have diverged slightly from the notation of Back and von Wright. In their 
notation, the angelic update ( R ) is written {-R}. 

3 It would take us too far afield to fully explain the syntax and semantics of state variables 
and assignment statements. 
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3.4 Fundamental adjunction 

Perhaps the most fundamental law in the refinement calculus, with the same 
pivotal role as Sambin’s “fundamental adjunction” in his development of basic 
topology through basic pairs ([35]) is the following Galois connection between 
angelic and demonic updates. 

Proposition 1 Suppose R C Si x Sa; we have, for all U C Sj, V C £ 2 
(R~)(U)CV C/C[R](P), 

which is commonly written {R~) H [R]. 

Proof: Straightforward. □ 

Points 1 and 2 of the following corollary are the ground for all the development 
of basic topology from “basic pairs” ([35]). Recall that an interior [closure] 
operator is a predicate transformer P satisfying: 

closure interior 

U C P(U) P(U) C U 

U C P(V) => P{U ) C P(V) P(U) CV^ P(U) C P(V) 

Corollary 1 We have: 

1 . (R~) 9 [R] is an interior operator, in particular: (R~) 9 [R] C skip; 

2. [R] 9 (R~) is a closure operator, in particular: skip C [R] 5 {R~); 

3. [R] = [R] 9 (R~) 9 [R] and (RT) = (R~) 9 [R] 5 (RT); 

f. (R~) commutes with all unions and [R] commutes with all intersections. 
Proof: Straightforward. □ 

Back and von Wright’s textbook on the refinement calculus contains many 
normal form theorems that relate the properties of a predicate transformer to 
its expression in the refinement calculus. Among these, the most general is the 
following. It provides one motivation for the analysis of predicate transformers 
given in section 4 below. 

Theorem 13.10. Let S be an arbitrary monotonic predicate trans¬ 
former term. Then there exist state relation terms P and Q such 
that S = (P) 9 [Q\. ([4], p. 220, with {Q} changed to (Q )) 4 

In other words, so far as monotone predicate transformers are concerned, it 
suffices to consider those in which an angelic update is followed by a demonic 
update. In section 4, we will represent predicate transformers by such a com¬ 
position, where the update relations are each given by transition structures. 

4 The proof given is an manipulation in higher-order logic, in which the relation Q is taken 
to be the membership relation. 
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3.5 Iterative constructions 


The most interesting construct are connected with iteration. (One of the main 
applications of our category will be to model iterative client-server interaction, 
in section 4.5.) 

In the case of relations and transition structures, there is a single notion of 
iteration, namely the reflexive and transitive closure. However in the case of 
predicate transformers, there are two different iteration operators: one orien¬ 
tated toward the Angel, and the other toward the Demon. 

According to the Knaster-Tarski theorem, each monotone predicate trans¬ 
former F : Pow(S) —> Pow(S) possesses both a least fixpoint pF and a greatest 
fixpoint vF. They can be defined as: 

(pX)F(X) = f]{W£S \ F(U)CH}: Pow(S) ] 

\vX)F(X) = \J{U CS | U C F(U) } : Pow(S) . 

Note that the intersection and union operators are applied to a higher order 
predicate (a predicate of predicates, rather than a family of predicates). In a 
predicative framework we therefore run into difficult questions about the justi¬ 
fication of those very general forms of induction and coinduction. In this paper 
we attempt no answer to these foundational questions: we need to consider only 
certain forms of “tail” recursion, in which the p- or I'-bound variable occurs only 
as the right-hand operand of ,. 

The two operations we need are written _* and 00 , and are characterized by 
the laws : 5 


F : Pow(S) Pow(S) 
F*,F°° : Pow(S) —>■ Pow(S) 

with the rules: 


skip U (F 5 F*) C F* 
F°° C skip n (F 5 F°°) 


skip u (F;G)CG 
F*CG 

G C Skip n (F ? G) 
GCF°° 


We may define these operations using p and v as: 

F*(U) = ( /j,X)UU(F° 9 X ) and F°°(V ) = (vX)Vn(F^X) . 

Both are iterative constructions. In the case of F* the iteration must be 
finite and the Angel chooses when to exit. In the case of F°°, the iteration may 
be infinite, and the Demon chooses when (if ever) to exit. 

Proposition 2 If F is a predicate transformer, then F* is a closure operator 
and F°° is an interior operator. 

5 Yet again we diverge from (and indeed clash with) the usual notation of Back and von 
Wright’s refinement calculus. What we call angelic iteration, and write F* is written there F® 
(and also called angelic iteration). What we call demonic iteration and write F°° is written 
there F*, and called weak iteration. 
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Proof: We give only the proof that F* is a closure operator. The proof that 

F°° is an interior operator is completely dual. 

• U C F*(U ): we know that F*(U) is a pre-fixpoint of X U U F(X), 
which means that U U F(F*(f7)) C F*(U), and so U C F*(U). 

• U CF*(V)^ F* (U) C F*(V). Suppose that U C F*(V). Since F*(U) 
is the least pre-fixpoint of! h> Ul)F(X), it suffices to show that F*(V) is 
also a pre-fixpoint of this operator, i.e. that t/UF(F*(F)) C F*(V). Since 
F*(V) is a pre-fixpoint for X ^ V U F(X), we have F(F*(V)) C F*(V), 
and by hypothesis, we have U C F*(V). We can conclude. 

It is worth noting that the operation * itself is a closure operation on the lattice 

of predicate transformers, but that 00 is not an interior operator. 

□ 

Some other properties of those operations are given by the following lemma. 

First, a definition: 

Definition 3 Suppose F is a predicate transformer. 

1. an F-invariant, (or simply an invariant when F is clear) is a post-fixpoint 
of F, i.e. a predicate U satisfying U C F(U); 

2. an F-saturated predicate, (or simply a saturated predicate when F is 
clear) is a pre-fixpoint of F, i.e. a predicate U satisfying F(U) C U. 

We have: 

Lemma 3.1 If F is a predicate transformer on S and U C S, we have: 

• F*(U) is the strongest (i.e. least) F-saturated predicate including U; 

• F°°{U ) is the weakest (i.e. greatest) F-invariant contained in U. 

Proof: We will prove only the second point, as the first one is completely dual. 

• F°°(U) is contained in U: this is a consequence of F°° being an interior 
operator. (Proposition 2.) 

• F°°(U) is F-invariant: F°°(U) is the greatest post-fixpoint of the operator 
X^un F(X): in particular, F°°(U) CU n F(F°°(F)), which implies 
that F°°({7) C F(F°°(F)). 

• F°°(U) is the greatest such invariant: suppose that V is another invariant 
contained in U, i.e. we have V C F(V) and V C U. This implies that 
V is a post-fixpoint of the above operator. Since F°°(U ) is the greatest 
post-fixpoint, we conclude directly that V C F°°(U). 

□ 


4 Interaction structures 

4.1 Motivations 

As in the case of relations, we obtain another more computationally oriented 
notion of predicate transformer by replacing the Fow(_) functor with the Farn{ ) 
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functor. There is again more than one way to do this. We will focus on the struc¬ 
ture arising from the representation of predicate transformers as S —> Pow 2 (S'): 

w i S —> Fam 2 (S') . 

Expanding the definition of Fam(-), we see that the declaration of w consists of 
the following data: 

1. a function A : S —> Set; 

2. a function D : (II s £ S) A(s) —> Set; 

3. a function n : (II s £ S, a £ A(s)) D(s, a) —> S'. 

In essentials, the invention of this structure should be attributed to Peters- 
son and Synek (though similar constructions were implicitly present in earlier 
works: [41, 16, 11]). In [33], they introduced a set-constructor for a certain 
inductively defined family of trees, relative to the signature 

A: Set 

B(x) : Set where x € A 

C(x,y) : Set where x £ A,y £ B(x) 

d(x,y,z)£A where x £ A,y £ B(x),z £ C(x,y) 

which is nothing more than a pair of a set A and an element of A —> Fam 2 (A). 
We will make use of (a slight variant of) their definitional schema in defining 
one of our iteration operators below, namely “angelic iteration”. 

4.2 Applications of interaction structures 

This type is rich in applications. Broadly speaking these applications fall under 
two headings: interaction and inference. 

Interaction. This is our main application. 

S: we take S to model the state space of a device. We prefer to call this 
the state of the interface as the device itself may have a complicated 
internal state which we need not understand to make use of the device. 
For example, think of s £ S as the state of one’s bank balance, as it is 
observed by someone using an ATM. 6 

A: for each state s £ S, we take the set A(s) to model the set of commands 
that the user may issue to the device. For example, think of a £ A(,s) as 
a request to withdraw cash from an ATM. 

D: For each s £ S and a £ A(,s), we take D(s, a) to model the set of responses 
that the device may return to the command a. It is possible that there is 
more than one response that the device may legitimately return to a given 
command. For example, think of the response Service Unavailable to 
a withdrawal request. 

6 Automatic Teller Machine —a cash machine. 
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n: For each s G S, command a G A(s) and response d G D(s,a), we take 
n(s, a, d) to model the next state of the interface. Note that the next 
state is determined by the response. This means that the current state of 
the system can always be computed from its initial state, together with a 
complete record of commands and responses exchanged ab initio. 

The two agents interacting across such a command-response interface are con¬ 
ventionally called the Angel (for a pronoun we use “she”), and the Demon 
(“he”). The Angel issues commands and receives responses. She is active, in 
that she has the initiative in any interaction. The Demon is passive, and merely 
obeys instructions, to each of which he returns a response. The terminology 
of Angels and Demons is rife in the refinement calculus literature, in which an 
interface is thought of as a contract regulating the behavior of two parties, the 
Angel and Demon. We have named the two components of an interaction struc¬ 
ture A and D after them. (Alternative dramatis personae might be 31oise and 
Vbelard, Opponent and Defendant, Master and Slave, Client and Server.) 

Other applications that have broadly the same interactive character are in¬ 
dicated in the following table. 


idiom 

S 

A 

D 

n 

game 

state 

moves 

counter-moves 

next state 

system 

state 

system call 

return 

next state 

experiment 

knowledge 

stimulus 

response 


examination 

knowledge 

question 

answer 



Inference. A second style of application of the structure (which plays no 
explicit role in this paper) is to model an inference system, or (to use Aczel’s 
term) a rule-set. One does not attempt here to capture the idea of a schematic 
rule, but rather the inference steps that are instances of such rules. 

S: we may take the elements of the set S to model judgments that can stand 
‘positively’ at the conclusion or occur ‘negatively’ as some premise of an 
inference step. 

A: for each judgment s G S, we may take the elements of the set A(,s) to 
model inference steps with conclusion s. 

D: for each judgment s G S and inference step a G A(s) by which s can be 
inferred, we may take the elements of the set D(s,a) to index, locate, or 
identify one of the family of premises required to infer s by inference step 


n: for each judgment s G A, inference step a G A(s), and index d G D(s. a) 
for a premise of that inference step, we may take n(s, a, d) to model the 
judgment to be proved at premise d in inference step a. 

Instead of judgements and inference steps, we may consider grammatical cate¬ 
gories and productions as in Petersson and Synek’s original application ([33]), 
or sorts and (multi-sorted) signatures. 


19 








4.3 Definition and basic properties 

Definition 4 If S and S' are sets, an object w of type S —> Fan 2 (S') is called 
an interaction structure (from S to S'). We refer to the components of w as 
follows: 

w.A : S —* Set 

w.D : (Ua€S) w.A(s)^Set 

w.n G (n s G S, a G w.A(a)) w.D(s, a) -► S' 

When no confusion is possible, we prefer to leave the “w. ” implicit, and simply 
write A, D and n, possibly with decorations. We also use the notation s[a/d\ as 
a synonym for w.n(a, s, d) when w is clear from the context. 

Before examining the objects of this type in more detail, we mention some 
other representations of predicate transformers: 

• Si —> Pow 2 (S 2 ) — Pow(S 2 ) —* Pow (Si): this is the notion studied in 
section 3, or in Back and von Wright’s book ([4, sec. 5.1, p. 251]) under 
the name “choice semantics”; 

• S\ —» Pow ( Fam(S 2 )) ~ Fam(S 2 ) —► Pow(S i): this notion is very similar 
to the previous one (they are equivalent in the presence of equality). To 
our knowledge, this type has never been considered as a viable notion; 

• Si —> Fam ( Pow(S 2 )): because a subset on a proper type need not be 
equivalent to a set indexed family on the same type, this notion is intrin¬ 
sically different from the previous two. This is the notion used by Aczel 
to model generalized inductive definitions in [2]. This is also the structure 
used in [9] under the name axiom set. 

From our perspective, this notion seems to abstract away the action of the 
Demon: the Angel doesn’t see the Demon’s reaction, but only a property 
of the state it produces. The Demon’s reaction is in some sense “hidden”. 

There are other variants based on types isomorphic to Pow(S 2 ) —► Pow (Si) 
such as Fam(S 2 ) —* Fam(S\), Pow(S 2 x Fam(S\)) and so on. We have not 
investigated all the possibilities systematically, but none of them seems to fit 
our purpose. 

Associated with an interaction structure w from S to S' are two monotone 
predicate transformers w° and w* : Povj(S') —> Pow(S). Both are concerned 
with the notion of “reachability” of a predicate (on S') from a state (in S). The 
difference is which agent tries to bring about the predicate: either the Angel (in 
the case of w°) or the Demon (in the case of w*). 

Definition 5 If w = (A, D. n) is an interaction structure on S, define: 


3” and “V” are syn 

onymsfor 

and 


sew°(U) & 

(3a G A(s)) 

NdeD(s,a)] 

) s[a/d\ e U 

sew*(U ) <*=> 

(Va G A(s)j 

(3 deD(s,a)) 

) s[a/d\ e U 


Of these, lemma 4.1 below shows that ° is more fundamental. 
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Definition 6 If S and S' are sets, and w is an interaction structure from S to 
S', define w 1 - : S —> Fam 2 {S') as follows. 

w ± .A(s) & (n aew.A(s)) w.D(s,a) 

w ± .D(s ,-) = w-A(s) 

w^.n^s, f, a) = s[a/f(a )] 

As we’ll see in proposition 3, this is a constructive version of the dual operator 
on predicate transformers. Although this operation doesn’t enjoy all the duality 
properties of its classical version (in particular, it is not provably involutive), 
we still have the following: 

Lemma 4.1 For any interaction structure w, we have: «;* = (ur 1 ) 0 . 

Proof: Axiom of choice. □ 

The converse w° = (w ± )' holds classically but not constructively. 

4.3.1 Lattice structure, monoidal operations 

We define inclusion between interaction structures by interpreting them as pred¬ 
icate transformers via the ° operator: 

Definition 7 Define w\ C = w\° C iu 2 °. 

Once again, this is not a proposition, but only a judgment. 

In contrast with the impoverished structure of transition structures rela¬ 
tive to relations, interaction structures support the full algebraic structure of 
monotone predicate transformers, as we now show. 

Definition 8 Define the following operations on interaction structures: 

Updates If T = (A,n) : S —> Fam(S') is a transition structure, then 


(T).A(s) 

= A(8) 

[T}.A(S) 

= {*} 

(T).D(s,a) 

= w 

[T].D(s,-) 

= A(s) 

(T).n(s, a, _) 

= 

[T].n(s, _, a) 

= s[a] . 


Extrema If is an indexed family of interaction structures, then 


(U <).£(*,(*, a)) 
(U; Wi).n(s,(i,a),d) 


(£i e I)wi.A(s) 

Wi.D(s, a ) 
Wi.n(s, a, d) 


and 


(a<M(s) 
an iWjMsj) 
an* **).«(«,/, m)) 


(Hie/) Wl .A(s) 
(Ete I)wi.D(s,a) 
VH.n{s,m,d) • 


= se( U*t 


= s e (fl iWi-A) 
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Composition Suppose w\ and W2 are interaction structures Si —*• Fam 2 (S2) 
and S2 —> Fam 2 (Sf); define a structure wi , W2, called the sequential 
composition ofwi and W2■ having type Si —► Fam 2 (Sz) with components: 


A(si) — (E 01 S vli(si)) 

(ndi e £>i(si,ai)) A 2 (si[ai/di]) 

D(si,(ai,f)) = (E dieDi(si,ai))D 2 {s[ai/di],f(di)) 

n(si,(ai,f),(di,d 2 )) = si[ai/di][/(di)/d 2 ] • 

i.e. a command in ( wi , m; 2 ).A(s) is given by a command in wi.A(s), and 
a continuation f giving, for all responses d in wi.D(s,a) a command in 
W2-A{s[a/d\). Note that ( wi , W2 )-A = wi°(w 2-A). 

Unit 


skip.A(s) = {*} 

skip .£)(«,_) = {*} 

skip. n(s, _) = s . 

These operations satisfy the expected laws: 

Proposition 3 


skip 0 

= skip ; 

(T)° 

= (T°); 

m° 

= [T°]; 


= UOi°) / 

(n^r 

= IW) >■ 

(wi 5 w 2 )° 

= wi° , W2° ; 

K) x 

= C • w° ■ C (only classically) 


Proof: Routine. Note that though to define the relation T° requires use of 
equality, one can define the predicate transformers (T°) and [T°] without it. 
For the last point, we have constructively that 

s e (w°) x (U) iff (W C S') s e w°(U) =$>U QV 

which can be taken as the definition of the dual for an arbitrary monotonic 
predicate transformer. This variant is better behaved in a constructive setting, 
and classically equivalent to the C • _ • C definition. 

□ 

In view of this proposition, we may regard interaction structures as concrete 
representations of monotone predicate transformers that support many useful 
operators of the refinement calculus. (Iteration will be dealt with in subsection 
4.4 on the following page.) As a result, we allow ourselves to overload the name 
w of an interaction structure to mean also w°. 

4.3.2 Factorization of interaction structures 

It is worth observing that any interaction structure w : S —► Fam 2 (S") is equal 
to the composition (T a ) , [T d ] where T a : S Fam(S'), T d : S’ Fam{S") 
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and S' = (EseS)w.i(s). The transition structures T a (which “issues the 
command”) and T d (which “performs the command”) are defined as follows: 

T a .A = w.A T d .A((s,a)) = w.D(s,a) 

T a .n(s,a ) = (s,a) T d .n((s,a),d ) = w.n(s,a,d ) 

This factorization should be compared with the normal form theorem for pred¬ 
icate transformers mentioned on page 15. Just as ( R a ) 5 [Rd\ is a normal form 
for monotone predicate transformers, so (with transition structures replacing 
relations) it is a normal form for interaction structures. 

In this connection, one can define a symmetric variant of the notion of in¬ 
teraction structure, consisting of two arbitrary sets S and S' with either (i) a 
pair of relations between them, or (ii) a pair of transition structures in opposite 
directions. We have used the name “Janus structure” for type-(ii) structures 
(based on transition structures in different directions). Markus Michelbrink has 
used the name “interactive game” for type-(i) structures. Michelbrink’s work 
shows that these to be highly interesting structures. The relation they bear 
to monotone predicate transformers seems not unlike that the natural numbers 
bear to the (signed) integers. 

4.4 Iteration 

We now define the iterative constructs _* and _°° on interaction structures. 

4.4.1 Angelic iteration 
Definition 9 Let w : S —> Fam 2 (S); define 
w*.A = (fiX:S^Set) (A seS) 

data EXIT 

call(u, /) where a £ S(s) 

fe(UdeD(s,a))X(s[a/d]) 

w*.D(s, exit) = data nil 

w*.D(s, call(ci, /)) = data CONS (d,d') where d£D(s,a) 

d'eD*(s[a/d],m ) 

w* .n(s, exit, nil) = s 

w*.n(s, CALL(a, /), CONs(do, d')) = w*.n(s[a/do], f(do), d') 

An element of A* (s) is a data-structure that can be interpreted as a program or 
strategy for the Angel, to issue commands and react to the Demon’s responses 
to commands. Because the definition uses a least fixpoint, this program is well 
founded in the sense that the Angel eventually reaches an exit command. 

Associated with each such program p £ 4*(,s), the set D*(s.p) and the 
function n*(s,p, _) give the family of states in which it can exit. Elements of the 
former can be seen as paths from s through p, while the latter maps a path to its 
final state. An element of D*(s,p ) is sometimes called a (finite and complete) 
rim, log, trace, or history. Note that a trace is intrinsically finite. 

Proposition 4 For any interaction structure w on S, we have w*° = w°*. 
Proof: Easy inductive proof. □ 
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To make formulas easier to read, we adopt Sambin’s notation: 
Definition 10 If w : S —> Fam 2 (S), s g S, and U,V C S, put: 

s< w U = s e w*°(U) ; 

V< W U = VCw*°{U). 

This higher-order relation satisfies: 

Lemma 4.2 

1. monotonicity: s < w U and U C V => s < w V; 

2. reflexivity: s eU => s U; 

3. transitivity: s U and U V =$> s < w V. 

Proof: This is a just a rewriting of the definition of a closure operator using the 
notation. (w*° is a closure operator by proposition 2, since w*° = w°*.) 
Note that this proof (that w*° is a closure operator) is entirely predicative. 

□ 


4.4.2 Demonic iteration 

We first recall the rules used in [19] to generate “state dependent” greatest 
fixpoints. Translated to our setting, if (A. D. n) is an interaction structure 
on S, we are allowed to form the family A°° of sets indexed by s 6 S using the 
following rules: 


• formation rule: - ; 

A°°(s) : Set 

• introduction rule: (setting up a coalgebra) 

X:S^Set F:XC W °(X ) seS x e X(s) 

Coiter(X, F, s, x) G J 4°°(s) 

(recall that F : X C w°(X) means F : (n»)X(») ** (E«) (II d) X(s[a/d\)) 

seS K&A°°(S) 

• elimination rule: - ; 

Elim (s,K)gw°(A°°)(s) 


• reduction rule: 

Elim(s, Coiter(X, F, s, x)) = (a, (Ad) Coiter(W, F, s[a/d],5(d))) 
where (a, g) = F(s, x) . 

(Here “(a, k) = ...” is how we indicate an implicit pattern matching.) 

It should be noted ([19, p. 11]) that those rules (which require that a weakly 
final coalgebra for w° ) axe dual to the rules for inductive types. Roughly speak¬ 
ing, they are the coinductive analogue of Petersson and Synek’s inductively 
defined treeset constructions, expressed with a specific destructor Elim. 7 

implicit in these rules is a certain “weak” impredicative existential quantifier, that permits 
the formation of the higher product (S X : Set) A : Set, but without the strong projections 
of the usual Sigma type. Instead, one has an elimination rule closer to that in traditional 
natural deduction. Such a “weak” quantifier is sometimes invoked in the analysis of abstract 
data types ([31]). 
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Definition 11 Let w : S —> Fam 2 (S); define 
w°°.A = (uX : S —>■ Set) (A s e S) 

(Sae w.A(s)) (nde w.D(s,a)) X{s[a/d\) 

= A°° 

U)°°.D = (pX:{U seS)A°°(s)^Set) (Xs e S,p e A°°(s)) 

data NIL 

cons {d,d') where (a, k) = Elim(p) 

deD(s,a) 
d! e X(s[a/d\,k(d)) 

w°°.n(s,p, nil) = s 

w°°.n\s,p, CONs(d, d')) = w°°.n(s[a/d\,k(d),d') 

where (a, k) = Elim(p) 

An element of A°°(s) can be interpreted as a command-response program 
starting in state s and continuing for as many cycles as desired, perhaps forever. 
One can picture such a program as an infinite tree, in which control flows along 
a branch in the tree. An element of D°°(s,p) is a finite sequence of responses 
that may be returned to the agent running the program p; and n°°(s,p, t ) is the 
state obtained after the finite response sequence t has been processed. 

Proposition 5 For any interaction structure w on S, we have w°°° = w°°°. 

Proof: Let U C S: 

• w°°°{U) C w°°°{U ): since w°°°(U) is the greatest fixpoint of U flu; 0 (J), 
it suffices to show that w°°°(U) is a post-fixpoint for the same operator, 
be. that w°°°(U) CUnw°(w°°°(U)). 

Let s e w°°°(U); this implies that there is some p G A°°(s) s.t. 

(Vt G D°°(s,p)) s\p/t] e U . 

In particular, for t = nil, we have s[p/nil] = s eU. 

We now show that s e w 0 (w°°°(U)). Let Elim(p) be of the form (oo,fc). 
We claim that (Vd G D(s,ao)) s[ao/d] e w°°°(U ): if d G D(s,ao), we 
have k(d) G A°°(s[ao/d\) and CONS (d,d') G D°°(s, (do, k)) for any d' in 
D°°(s[ao/d],A:(d)). This implies (because s ew°°°(U)) that 

s[ao/d\[k(d)/d'] = s[(a 0 , jfe)/coNS(d,<f)] e U 

which completes the proof. 

• w°°°(U) C w°°°(U): let s e w°°°(Uy, 

we need to find a p G A°°(s) s.t. (Vf G D°°(s,p)) s[p/t] e U. By the 
introduction rule for A°°, it suffices to find a coalgebra (X : S Set , F) 
with F e X C w°X. 

X = w°°°(U) together with the function F coming from the coinductive 
rule w°°° C skip n (w° %w 000 ) C w° , w°°° is such a coalgebra. 

This provides us with an element Coiter(X, F, s, x) G A°°(s) where x is 
the proof that s e w 00 °(U). 
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We will show the following: “for all states s, for all programs p generated 
by this coalgebra, for all responses t to p, we have s\p/t ] e U". More 
precisely, we will prove: 

^Vs, Va:€ X(s ), Vi £ D°°(s,p(s,x))^ s\p(s,x)/t] e U 

where p(s, x) = Coiterpf, F, s, x). 

We work by induction on the structure of t. 

base case: if t = NIL, then s[p(s. x) /nil] = s, and we have s e U since 
seX = w°°°{U) CU. 

induction case: if t = ( do,t '), then s\p(s,x)/(do,t')] = s[ao/do\[k(do)/1'} 
where Elim(p(s, a;)) = (a o, k). By the reduction rule for coinduction, 
we have; if x is of the form (do, /): 

Elim Coiter(W, F, s, x) = (a 0 , (\d 0 ) Cotter (X,F,s[a 0 /d 0 \,f(d 0 ))) 

Therefore, k(do) = p(s[ao/do}. /(do)), and we obtain the result by 
applying the induction hypothesis for s[ao/do], /(do) € X(s) and 
t' e D 00 (s,p(s[a 0 /do}, f(d 0 ))). 

□ 

Corollary 2 For any interaction structure w, we have w 1 - 00 = w*°°. 

Proof: Direct from lemma 4.1 and proposition 5. □ 

Just as for w* and <, we introduce the following notation: 

Definition 12 If w is an interaction structure on S, put: 

sk w U = sew ±0 °(U); 

Vk w U = V§w x °°(U). 

4.5 Clients, servers and their interaction 

In the vast majority of cases, there are only two kinds of program one is called 
upon to write: in programming terminology, those are called client programs 
and server programs. For background, see [40]. Clients and servers are agents on 
opposite sides of a service interface, sometimes also called a resource interface. 
The service may be, for example, to store values in addressable memory cells, 
or disk sectors. The client obtains or uses the service, the server provides it. In 
general terms, the behavior of an agent following a client program is to issue 
commands across the interface, and then use the responses to steer control to the 
right continuation point in the program, iterating through some finite number of 
command-response cycles until eventually reaching an exit point in the program. 
On the other hand, the behavior of an agent following a server program is to 
wait passively for a command, perform it and respond appropriately, for as 
many command-response cycles as required by the client. 

The programming terminology of “clients” and “servers” is connected with 
the angelic and demonic forms of iteration described above in section 4.4. The 
client issues requests or commands, and the server performs them and responds 
to the client with a sequence of results, one for each issued command. Each 
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request, its performance, and the response to it constitutes a command-response 
cycle. From the client’s perspective, we may think of the performance of the 
request as an atomic event that occurs sometime between issuing the request 
and receiving the response. The server changes state, as it were “in a trice”. 

A server may have many clients. As when someone is operating a till in a 
supermarket, we may arrange (or simulate in various ways) that a client has 
the exclusive attention of a server, cycling through the purchase of several items 
by a single client, until the trolley is empty, the customer pays, and an entire 
transaction, consisting of many cycles is complete. Then the next customer in 
the queue comes forward. The number of cycles is at the discretion of the client. 
In essence what is happening here is that the server performs an entire trans¬ 
action program (whose execution consists of several cycles) which we can view 
as a single composite command. The response to this composite command is a 
record or trace of responses to the individual commands: as it were, the receipt 
handed to the supermarket customer when the transaction is complete. How¬ 
ever, what is important is that the transactions appear to take place in a total 
order. Outside of supermarkets, there are ways of processing transactions such 
that several transactions can be in progress, and their commitment is scheduled 
to optimize either throughput or response time. Essentially, starting a transac¬ 
tion is not something visible, and one can always pretend that transactions are 
started the instant before they are committed. 

To describe clients and servers only in such a mechanistic way is however to 
miss something important. A client or server program is written to accomplish 
some purpose, or to fulfill an intention. The purpose or intention is expressed by 
a specification, ideally a formal specification that can be handled by a machine 
and used in verification. The crucial question is: what are the logical forms 
of the specifications of client and server programs? The interest of dependent 
type theory as a framework for developing programs is that one may hope, by 
exploiting the expressive power of the type system, to express specifications 
formally and yet with full precision. One may then harness decidable type¬ 
checking to guide the development of programs to meet those specifications. 

Let us attempt to answer this question. What follows is merely an attempt 
to summarize experience of reading and writing specifications for both client 
and server programs. 

Suppose w describes an interface; a client program is specified by a pair: 

I nit C S: a predicate describing initial states in which the program is required 
to work. (In other states the program need not even terminate.) The user 
of the program is obliged to ensure that the initial predicate holds before 
running the program. 

Next C S X S: a relation defined between initial states and final states. The 
value of Next for states outside Init is irrelevant: the behavior of the pro¬ 
gram is unspecified. Very often (but not always) this relation has the 
simpler “rectangular” form Init x Goal for some Goal C S; meaning that 
the goal predicate does not depend on the initial state. 

A client program satisfying such a specification is in essence a constructive 
proof that Init C { s £ S \ s <i V! Next(s) }. When the Next relation happens to 
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be of the form I nit x Goal, this takes the simpler form 
Init < w Goal . 

If we have such a proof, and the interface is in a state s such that initial 
predicate Init holds, then we can use the proof as a guide or strategy to bring 
about a state in which the goal predicate Next(s) holds, if only we are provided 
with a server that responds to all our requests. 

As for server programs, the situation is the following: again, let w describe 
the interface. A server program is usually described by a pair of predicates: 

Init C S: a non-empty set which describes the allowed initial states of the ser¬ 
vice. 

Inv C S: a predicate that holds initially and is maintained by the server. 

Remark. By symmetry with specifications Init C { s G S \ s <U Next(s) }, where 
the relation Next is not necessarily rectangular, one may also consider server specifica¬ 
tions of the form Init jjfsgS | s X® Next(s) }. At first sight the general case seems 
to have no counterpart in practice. However, if Next is actually a simulation relation 
one can express a certain kind of recoverability with a specification of this more general 
form. (This is connected with the discussion of localization at on page 45.) 

A program satisfying such a specification is in essence a constructive proof 
that Init overlaps with the weakest post-fixpoint (invariant) of w x included in 
Inv. That is to say, it yields a state together with a proof that the state belongs 
to both the initial predicate and that invariant. Recall lemma 4.1 that if w is 
given by an interaction structure 

U C w x (U) & (Vs e C/)(Va e A(s)) (3d € D(s,a )) s[a/d\ e U . 

In other words the Demon is never deadlocked, but can always respond to any 
legal command, and moreover in such a way that the invariant continues to hold 
in the new state. 

Note that a direct consequence of lemma 3.1 is that any invariant can be 
written in the form (w; ± ) 00 (l / ). The predicate V need not itself be an invariant, 
but can be weaker than the actual invariant (wA)°°(V), and so a fortiori is 
maintained by the server program. 

To summarise, a server specification takes the form Init 0 w x (Inv) where 
Inv is a predicate guaranteed to hold before and after every step. Using the ix 
notation, this gives: 

Init Inv . 

Interaction between client and server programs. What happens when 
we put a client and a server program together, and rim the former “on” the 
latter? The answer is connected with the compatibility rule in Sambin’s formal¬ 
ization of basic topology. 

Suppose that in some state s of a common interface w, we have a client 
program P that can be run to bring about a goal predicate U (i.e. s < U), and 
a server program K that maintains a predicate V (i.e. s x V). When all internal 
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calculation has been carried out, the client program P will have been brought 
into one of two forms: either (CALL (a,f),g) where 

a e .A(s) 

/ € (nrfeD(s,flP*(s[a/(f]) 

g € (II(do,<f) € £>*(«, CALL(o,/))) s[a/d][f(d)/d'] e U , 

or (exit, h) where /i(exit) is a proof that s e U. On the other hand, if (if, l ) is 
the server program, then Elim(s,-SC) has the form (r. k) where 

re(naei( S ))%a) 
kG(Ua&A(s)) (A- L )°°(s[a/r(a)]:) 
ie(nte (z> x )°°fy,if)) s[K/t) e v . 

For any U, V C S', we define an execution function with the type 


execu,v((s,P,K) ew* 

\U)%^ 

\V)) e U§ 

by means of the following clauses: 


exec u,v(s, (exit, h), (K, f)) 

= {s 

,h (exit), K) 

execc/ i v(s, (cALL(a, /),<?), ( K , 

l)) ± 


let 

(r,k) = 

Elim(s, K) 


d = 

r(a) 


P’ = 

m 


9' = 

(A d')g((d,d')) 


K' = 

k{a) 


l' = 

(A t)l((a,t)) 


in execjjy (s[a/dj, ( P',g'), ( K’,l ')) 

If we strip away the parameters and programs from this rule, we obtain 

w*{U) 0 rP°°(F) 

U § w^{V) 

that can immediately be recognized as Sambin’s compatibility rule ([36]). In 
some sense this rule expresses the mechanics of interaction between client and 
server programs. 

How does this rule apply to the formulas given above for the general form of 
client and server specifications? Suppose we have a client program satisfying the 
specification “Init Goal”, and a server program satisfying the specification 
“Init ix u , Inv”. Then we can apply the execution function to get: 

Init < Goal Init x Inv 
Goal x Inv 

The real use of a client program is turn servers in a state that satisfies the 
precondition into servers in a state that satisfies the goal predicate. 
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Safety and Liveness. The concepts of partial and total correctness emerged 
from the investigations of Floyd, Dijkstra and Hoare into the foundations of 
specification and verification for sequential programming. A program is par¬ 
tially correct if it terminates only when it has attained the goal that it should, 
while it is totally correct if in addition it terminates whenever it should. In the 
late 70’s, Lamport in [26] introduced the terms safety and liveness as the appro¬ 
priate generalizations of these concepts to the field of concurrent programming. 
In concurrent programming a program interacts with its environment while it 
is running, rather than only when initialized or terminated. Informally, a safety 
property requires that “nothing bad” should occur during execution of a concur¬ 
rent program. (A time can be associated with the violation of a safety property). 
On the other hand a liveness property requires that “something good” should 
occur (so that it is violated only at the end of time, as it were). These properties 
soon received formal definitions, in the case of safety by Lamport [27], and in 
the case of liveness by Alpern and Schneider [3]. 

These properties were defined in topological terms, with respect to the 
“Baire” space of infinite sequences of states. (The set of sequences sharing 
a common finite prefix is a basic neighborhood in this space). Briefly, a safety 
property was analyzed as a closed set of sequences, and a liveness property as a 
dense set ( i.e . one intersecting with every non-empty open set). The properties 
were also expressed in terms of linear-time temporal logic, the idea being that a 
safety property asserts that something is (now and) forever the case, whereas a 
liveness property requires that something (now or) eventually takes place. For 
various reasons liveness is usually restricted to fairness properties in which the 
temporal modalities are nested at most twice. An example of a fairness require¬ 
ment is so-called “strong” fairness, which requires that an event (state-change) 
of a certain kind occurs infinitely often providing that it is enabled infinitely of¬ 
ten. A readable account of the role these concepts play in practical specification 
can be found in Lamport’s book [28]. 

What can we say about these notions from the perspective of interaction 
structures? One thing that can be said with some confidence is that a safety 
property is an invariant. In basic topology, invariants represent closed sets. So 
this agrees with Lamport’s topological analysis. 

A liveness property on the other hand is merely a set of points which overlaps 
with every non-empty open set. It seems difficult to say anything interesting 
about liveness properties in general; but it may be easier when the properties 
are simple combinations of particular modalities such as “infinitely often” and 
“eventually always”. 

4.6 Product operations 

We describe below two product operations on interaction structures. The first 
corresponds to an operation treated in the refinement calculus ([5]), while the 
second does not. 
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Synchronous tensor. Suppose Wi and w 2 are two interaction structures on 
Si and S 2 . We define w% 0 w 2 on Si x S 2 : 

{wi®w 2 ).A((si,s 2 )) = wi.A(st) x w 2 .A(s 2 ) 

(wi®w 2 ).D((si,s 2 ),(ai,a 2 )) = wi.D(si,ai) x w 2 .D(s 2 ,a 2 ) 

(wi®w 2 ).n((s h s 3 ),(ai,a 2 %(di,d 2 )) = (si[ai/di], s 2 [a 2 /d 2 ]) 

The computational meaning of this operation is clear: one issues commands in 
each of a pair of interfaces, receives responses from them both, and they each 
move to their new state, simultaneously and atomically. Sometimes this kind of 
arrangement is called “ganging”, or “lock-step synchronization”. 

The synchronous tensor corresponds to the following operation on predicate 
transformers (addition to propositions 3, 4 and 5): 

(Fi®F 2 )(R)= IJ Fi(U)xF 2 (V) 

UxVCR 

which was used in [5] to model parallel execution of program components. 

In combination with duality (definition 6), the synchronous tensor enjoys 
strong algebraic properties (see [23]). 


Angelic product. Similarly, suppose Wi and w 2 are two interaction struc¬ 
tures on Si and S 2 . We define wi 0 w 2 on Si x S 2 : 


(w 1 Qw 2 ).A((s 1 ,s 2 )) 

(m © w 2 ).D((s!, s 2 ), ino(ai)) 
(wi © w 2 ).D((si, s 2 ), ini(a 2 )) 
(wi 0 w 2 ).n((si,s 2 ), in 0 (ai), di) 
(wi © w 2 ).n((si,s 2 ), ini(a 2 ), d 2 ) 


toi.A(si) + w 2 .A(s 2 ) 
wi.D(si,ai) 
w 2 .D(s 2 ,a 2 ) 
(s 1 [o 1 /d 1 ],s 2 ) 

(si, s 2 [o 2 /d 2 ]) . 


The computational meaning is again quite clear: a pair of interfaces is available 
to the Angel, who choose the one to use. This kind of arrangement is frequently 
found at the low-level interface of a program component, where instances of var¬ 
ious resources are exploited, one at a time, to implement a higher-level interface. 
We call this kind of combination the “angelic product”. 

In terms of predicate transformers, the angelic product corresponds to 


(Fi®F 2 )(R)= IJ {si} x F 2 (V) U IJ Fi(U)x{s 2 } 

{sijxFCil Ux{s 2 }CR 


5 Morphisms 

5.1 Linear simulations 

We now consider what to take for morphisms between predicate transformers or 
their representation by interaction structures. The definition we adopt coincides 
with what is known as a “forward” simulation in the refinement calculus. As 
we will see in section 6, it is also connected with the definition of continuous 
relation in formal topology. 
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Let us therefore consider the case of (homogeneous) interaction structures, 
subscripted with “h” and “Z” to distinguish the high and low level interfaces. 

w h ■ S h -> Fam 2 (S h ) 

I 

wi : Si —> Fam 2 (St) 

As explained earlier, we view Wf, and Wi as command-response interfaces over 
the state spaces Sh and Si, where the command and response “dialects” are 
given by (Ah, Dh) and (Ai,D{) respectively. Our intuition here is to think of a 
morphism as a systematic translation between the dialect for Wh and the dialect 
for wi, which enables us to use a device supporting the interface (Si, wi ) as if it 
were a device supporting the interface (Sh,Wh). That is, we should be able to 
translate high level .4/,-commands into low level A;-commands, and responses 
to the latter (low level D t responses) back into high level D h responses in such 
a way that the simulation of ( Sh,Wh ) by ( Si,wi ) can be indefinitely sustained. 

It is often the case that several different low-level states can represent the 
same high-level state, so that the link between high-level states and low-level 
states can be represented by a function from the latter to the former (sometimes 
called an abstraction function, or refinement mapping). It is also sometimes the 
case that several different high-level states can be represented by the same low- 
level state. For such reasons, many people take the link between high and low 
level states to be a general relation, rather than a map one one direction or the 
other. 

The question then is: how can we make this intuition of translation precise? 
The answer we propose is the following. 

Definition 13 Let : Sh — > Fam 2 (Sh), and wi : Si — > Fam 2 (Si). A linear 
simulation of (Sh,Wh) by (Si,wi) is a relation R C Sh x Si which satisfies the 
following “sustainability” condition: 


If(s h , si) e R, then 
\/a h G A h (sh ) 

3a; G A t (si) 

Vdi G Dfisi, ai) 

3dh S Dh(sh, ah) 

(s h [a h /d h ],si[ai/di\) eR 


- for all high-level commands an ■■ ■ 

- there is a low-level command ai s.t. 

- for all responses di to the low-level command ... 

- there is a response dh to the command au s.t. 

- the simulation can be sustained. 


We write R : Wh —° wi to mean R is a linear simulation from Wh to wi. 


In explanation of the qualification “linear”, we have required a one-for-one 
intertranslation between the high and low-level interfaces. (We shall shortly 
introduce a notion of general simulation, allowing zero or non-zero low-level 
interactions for each high-level interaction.) 

The formula above with its four nested quantifiers is perhaps a little daunting 
at first sight. Let’s re-express it in a more compact form. 

Lemma 5.1 R C S/,x 5; is a linear simulation of (Sh, Wh ) by (Si,wi) iff for all 
s h e S h , and a h G A h (s h ), we have R(s h ) C w t ( \J dheDh (s h ,a h ) R ( s h[ah/ d h ]))■ 

Proof: Simple formal manipulation. □ 
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Remark. A linear simulation from ui/, to wi is itself an invariant for a certain 
relation transformer “Wh —o wi”. 

Definition 14 If Wh and wi are interaction structures on Sh and Si, define a new 
interaction structure on Sh X Si with: 

A((s h ,s,)) A p/ g A h (s h } -* Ai(si)) 

(Ua h e A h (s h )) A («1 >/(%)) -* D h (s h ,a h ) 

D((s h , Sl ),(f,g)) = A(*l./(«*)> 

n((s h ,si),{f,g),(a h ,di)) = (s h [a h /g(a h , d t )], si[f(a h )/di]) . 

This concrete representation is merely the result of applying the axiom of choice to pull 
the quantifier alternation (n..) (E _) (II _) (E _) into (E _) (II _) form. Notice that every¬ 
thing has a computational meaning: the commands are intertranslation functions, the 
responses are data outside the control of the simulation, and data is communicated 
between the high and low poles of a state-pair. 

Classically, this interaction structure is (isomorphic to) the representation of the linear- 
logic implication from [23]. The corresponding tensor is the synchronous tensor ® 
defined on page 31. (One can check that “®” is left-adjoint to o”.) It is interesting 
to remark that neither composition nor iteration of predicate transformers/interaction 
structures are used in the models of linear logic from [23, 24]. 

The following proposition gives a characterization of linear simulations as a 
subcommutativity property (point 2). 

Proposition 6 The following are equivalent: 

1. R is a linear simulation of (Sh,Wh) by ( Si,wi); 

2. (RT) sW h <Zwi° 3 (R~); 

3. for all U C Sh, Sh G Sh we have Sh <W U => R(sh) R(U). 

Proof: (the implication 2=>1 requires the use of equality) 

1 =>2: we have to show that S[ e (R ,) Wh)(U) implies si e ( wi , R.)(U). 
si e R , w h (U) 

& { definition of ? } 

(3sh G Sh) (Sh, Si) e R and s h e wh(U) 

(3s/,) {sh,si) e R and 

(3a/, G A h (sh)) (Vd h G D h (s h ,a h )) s h [a h /dh\ e U 

=> {by lemma 5.1 } 

(3s/,) (s/i,s/) e R and 

si ewi(\J dh R(sh[a h /dh})) and \J dh s h [a h /dh\ C U 

^ { R = (R~) commutes with unions } 

(3s/,) (s/,, s/) e R and 

si e WiR( (J dh s h [a h /dh]) and \J dh s h [a h /dh\ C U 

=» {by monotonicity } 

si e wi 9 R(U) 

2=^1: suppose that R^Wh C wi | R, and let s/, G Sh and ah G v4/,(s/,); 
we will show that R(sh) C wi( \Jd h E Dh (s h ,a h ) R( s h[ah/dh])) and conclude using 
lemma 5.1. 

Define U = U d h eD h ( Sh ,a h ) { s h[ah/dh\}- (This where equality is needed.) 

We certainly have that s/, e Wh(U) so that i?(s/,) C R , Wh(U). By hypothesis, 
this implies that R(sh) C wi , R(U) which we had set out to prove. (Since R 
commutes with unions.) 
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The proof that 2^3 is straightforward. 

□ 

The following is easy: 

Proposition 7 If w-\ and w-2 are interaction structures, the linear simulations 
of w\ by W2 are closed under arbitrary unions (including the empty union, so 
that there is always an empty simulation). 

Finally, the following shows that we have a poset enriched category. 

Proposition 8 

1. The relational composition ( R \, R2) of two linear simulations is a linear 
simulation. 

2. If w is an interaction structure on S, then eq s : w — o w. 

3. Composition of linear simulations is monotone in both its arguments. 

We call this category LinSim. 

Proof: Straightforward. □ 

The same proposition holds if we replace interaction structures with predicate 
transformers, and use point 2 from proposition 6 as the definition of simulation. 
We call this category PT. 

Remark. Of course to define a category, we need equality relations for the identity 
morphisms of this category. Without equality, we have a weaker structure, having 
merely an associative and monotone composition of morphisms. 

A morphism is supposed to “preserve structure”. What is the structure 
preserved by a simulation? The following observation suggests one answer. 

Lemma 5.2 If R is a simulation as above, the image of an invariant for Wh 
is an invariant for wi, i.e. the image of a high-level invariant is a low-level 
invariant. 

Proof: simple application of proposition 6. □ 

Remark. The notion of a linear simulation is already well-known in the literature 
of the refinement calculus (see for example [6]). There it is known as forward (or 
“downward”) data refinement. In fact, in that setting one considers a more general 
notion, in which the relation (which may be identified with a disjunctive predicate 
transformer) is generalized to a “right-moving” predicate transformer: 

Definition 15 If Fh and Fi are transformers, and if P : Pow(Si) —> Pow(Sh), then 
Fj j is said to be data-refined through P by Fi if 

P°,F h CFr,P . 

If P commutes with arbitrary unions, then the refinement is said to be “forward”, 
whereas if P commutes with arbitrary intersections, the refinement is said to be “back- 

ln the setting of impredicative higher-order logic one can prove that the predicate 
transformers that commute with arbitrary unions are precisely those of the form ( Q) 
for some relation Q, and those that commute with arbitrary intersections are precisely 
those of the form [Q]. It follows that a linear simulation is a forward data-refinement. 
It is natural to wonder whether one can give a predicative analysis of backward data 
refinement, akin to that we have given of forward data refinement. 
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5.2 Monads and general simulations 

When a high-level interface is implemented on top of a low-level, less abstract 
interface, it is rare that a single high-level command (for example: record this 
data as a file in such and such a directory) can be translated to a single low-level 
command. Instead, several interactions across the low-level interface (reading 
and writing disk sectors) are usually required before the high-level operation 
can be completed. In essence, what we are going to do is make the notion of 
simulation more flexible and applicable by moving to the Kleisli category for a 
certain monad. 

There are at least three monads of interest: the reflexive closure, the tran¬ 
sitive closure and the reflexive/transitive closure. 

RC The functor RC(F) = skip U F is monadic. A morphism in the Kleisli 
category from (S), F t ) to (S 2 ,F 2 ) is a linear simulation of (S), F :[ ) by 
(S2, RC(F 2 )), which we call an affine simulation of (Si,Fi) by ( S 2 ,F 2 ). 
A step in (Si , F\ ) need not make use of a step in (S 2 ,F 2 ). 

RTC _* is monadic. A morphism in the Kleisli category from (Sh, Fh ) to (Si, Fi ) 
is a linear simulation of (Sh, Fh) by (Si, F*), which we call a general sim¬ 
ulation of ( Sh,Fh ) by (Si,Fi). A step in ( Sh,Fh ) may make use of any 
number of steps in (Si,Fi). 

TC The functor F + = F , F* is monadic. A morphism in its Kleisli category 
is a linear simulation of (Sh,Fh) by ( Si,Fi + ). It translates high-level 
commands to low level programs that run for at least one step. 

Proposition 9 RC(_), _ + and * are monads in LinSim and PT. We call 
the Kleisli category of _* the category of general simulations and interaction 
structures: GenSim. We write R : Wh —* wi for morphisms in this category 
(i.e. Wh —» wi is a synonym for Wh —o w*). 

Proof: We will work with interaction structures; the case of predicate trans¬ 
former is very similar. Moreover, we only treat the case of the _* functor; the 
other cases being similar. 

Recall that an endofunctor M on a category C is a monad (in triple form) if 
we have the following: 

• an operation J taking any / : C[A,M(B)] to an /*• : C \M(A), M(B)] ; 

• for any object A of C, a morphism T]a : C\A, M(A)] 
such that: 

1- v ?/“ = /; 

2. T)A* = id M(A)', 

3- (/?5 # ) lt = /" 19*- 

It is trivial to check that eq : w —o w*-, and the next proposition will show that 
if R is a linear simulation of Wh by w* then R is a linear simulation of wjjj by 
w*. Thus we can put: Rf = R and r)(s, w ) = ec ls- 

□ 
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Lemma 5.3 Let Wh and wi be two interaction structures on the sets Sh and Si; 
let R be a relation on Sh x Si. The following are equivalent: 

1. R is a linear simulation Wh —° wf; 

2. for any Sh G Sh and ah G Ah(sh): 

R(sh) < WI IJ R(sh[a h /d h ]) ; 

dh£D h (s h ,a h ) 

3. for any Sh G Sh and a' h G A^(sh): 

R(s h ) <\ m IJ R(s h [a' h /d' h ]) . 


Proof: In turn: 

1<&2: simple consequence of proposition 6. 

3=^2: follows from the observation that eq Sf is a linear simulation Wh~°w 
2=>3: let Sh € Sh and a' h G Al(s h ): we do the proof by induction on a' h : 

base case if a' h = EXIT, then we only need to show that R(sh) < tUi R(sh), 
which is trivially true since skip C w*. 

induction case if a! h is of the form CALL(a/j, f h ), then we have: 

• R(s h ) < \J dh R(s h [a h /d h ]); (by point of this lemma) 

• for any dh G Dffsh-ah), by induction hypothesis, we have: 

R(s h [a h /d h ]) {jR(s h [a h /d h ][f h (d h )/d' h ]) 

d’ h 

where d' h £ Dl(s h [a h /d h ], f h (d h )) 

• since the RHS is a subset of (J d h ,d' R( s h[cALL(ah, fh) / (dh, d' h )]) we 
can conclude (by monotonicity) that 

R(s h [a h /d h \) < Wl IJ R(s h [a' h /d' h ]) 

d'h 

which, by transitivity, imphes 

R(sh) < Wl U R (sh[a' h /d' h ]) 

d'h 

□ 

Corollary 3 We have: R is a linear simulation Wh —° tv* iff R is a linear 
simulation w £ —o w *. 
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5.3 Saturation, equality of morphisms 

We have argued that the category GenSim serves as a model for component 
based programming. However, the notion of equality on morphisms is still too 
strong. It may be that two general simulations differ extensionally though they 
still have the same potential, or “simulative power”. 

Definition 16 If R is a general simulation from Wf, to wi, we define the fol¬ 
lowing relation R (the saturation of R) on Sh x Si: 

( Sh, si) e R = si e w* ■ R(sh) ■ 

This amounts to considering instead of functions R : Sh —► Pow(Si), functions 
R : Sh — > Sat(wi), where Sat(wi ) is the collection of ^-saturated predicates. 
(See lemma 3.1.) 

The intuition behind saturation is the following. Suppose R is a relation 
between low level states Si and high level states Sh- The saturation of R, is a 
relation which allows “internal” or “hidden” low level interaction. To simulate 
a high level state Sh by a low level state si, it is permissible that the Angel has 
a program that constrains interactions starting in Si to terminate in states that 
simulate Sh- 

We have: 

Proposition 10 Let R be a general simulation of Wh by wi, then R is also a 
general simulation of Wh by wi. 

Proof: According to lemma 5.3, we need to show R(sh) < U d R{ s h[ah/dh\)- 
By lemma 5.3, we have R(sh) < R(sh[ah/dh]) and since w 2 is a closure 
operator, we have 

^2 (R(s h )) = R(s h ) < {jR(s h [a h /d h ]) . 

d h 

For any dh, R(sh[ah/dh] ) < R(sh[ah/dh]) which implies (still because w* 2 is a 
closure operator) 

R(s h [a h /d h ]) < w%(R(s h [a h /d h ]f) =R(s h [a h /d h ]) . 

Since the above is true for any dh, it implies that 

{jR(s h [a h /d h ]) < (J R(s h [a h /d h ]) . 

d h d h 

We get the result by transitivity. 

□ 

Thus, saturation provides us with an appropriate “normalization” operation 
when comparing general simulations: to compare two simulations, compare their 
normal forms. So we put: 

Definition 17 Let R ,\, R 2 be two general simulations of Wh by wi; we say that 
• R-2 is stronger than R\ (written Ri T R /2 ) if R\ C R 2 ; 
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• i?i is equivalent to R 2 (Ri « R'i) if Ri Q R-i and R 2 C R\ ■ 

The following is trivial: (point 3 follows from proposition 10). 

Lemma 5.4 We have: 

1. C is a preorder on the collection of general simulations from Wh to wi; 

2. ~ is an equivalence relation; 

3. R is (extensionally) the largest relation in the equivalence class of R; 
f. the operation Ri—>Risa closure operation. 

We can now conclude this section: 

Proposition 11 (GenSim, C) is a poset enriched category. 

Proof: The only thing we need to check is that composition is monotonic in 
both its arguments. 8 

Let Ri, R.-2 be two simulations of Wh by w m and Q \, Q2 two simulations of 
w rn by wi such that R.\ C R 2 and Q\ C Q 2 - Suppose moreover that Sh € Sh] 
we need to show that Ri , Qi(s h ) C R 2 ? Q 2 (s h ): 

• we have Ri(s/ l ) C R 2 (sf t ) because R 1 O R 2 ; 

• we also have (Qi ?Sl)(s/j) ( Q 2 ^Rajish). 

let si e (Qi, Ri)(sh), i.e. ( s m , si) e Q 1 for some s m s.t. (sh, s m ) e R 1. We 
will show that s ; ( Q 2 ? R 2 )(sh). 

~ Q2{sm) C (Q 2 ° 9 R 2 )(s h ) since s m eRi(s h ) C R^(s h )-, 

- si e Q 2 (s m ) because Q\ C Q 2 and s; e (since s t e Qi(s m )) 

— so by monotonicity, s; e (w* , Q 2 9 R 2 ) (sh)- 

• From the last point, we get ( w* , Q\ ? R\) ( s h ) C (w* ? Q 2 5 R 2 ) (s h ); 

• for any simulation R : w -o w '*, we have (w'* , R , w*) (U) = (w'* , R) ( U ): 

c: because (R ., w*) (U) C (w'* 9 R) (U) and w'* is a closure operator; 

D: skip Cw*=> w'* 9 R C w'* 9 R , w*. 

• So we can conclude: 

RifQi(s h ) = (wf ° 9 Qi | Ri)(s h ) C (w* ° 9 Q 2 ° 9 R 2 )(s h ) = R 2 ° 9 Q 2 (s h ) . 

□ 


6 The link with formal topology 

Our title mentions both programming and formal topology. We now (at last) 
turn to the topological meaning of our constructions. We start by recalling the 
most basic notions of formal topology. 

8 This result, together with all the required lemmas has been formally checked using the 
Agda system. 
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6.1 Formal and basic topology 

The aim of formal topology was to develop pointfree topology in a fully con¬ 
structive ( i.e. predicative) setting. Motivations for pointfree topology can be 
found in [25]. Briefly, pointfree topology studies the properties of the lattice 
of open sets of a topology, without ever mentioning points (hence the name). 
Many traditional topological theorems are classically equivalent to a pointfree 
version that can be proved constructively without the axiom of choice. Example 
of such theorems include Hahn-Banach theorem, Heine-Borel theorem, or vari¬ 
ous representation theorems (such as Stone’s). The idea is thus to factor out all 
non-constructive methods into the proof that the pointfree version is equivalent 
to the traditional theorem. 

Basic topology amounts to removing the condition of distributivity of the 
lattice of open sets. The result is a very concise and elegant structure which, 
surprisingly enough, still contains the basic notions of topology (closed sets, 
open sets and continuity). It is the basis of a modular approach to formal 
topology in that one can add exactly what is needed in order to understand a 
particular property. 

Introductions to the subject can be found in [25, 43, 34, 38, 37, 15]. 

6.1.1 Basic topologies 

See [14] for details. 

Definition 18 A basic topology is a set S together with two predicate trans¬ 
formers A and J on S such that: 

• A is a closure operator; 

• J is an interior operator; 

A(U) 0 J(V) 

• A and J are compatible: - for all U. V C S. 

u o j(v) 

The set S is intended to represent a base of the topology; and so, an element 
s £ S will be called a formal basic open. A subset U of S is called open when 
U = A(U); and a subset V of S is called closed when V = J(V). 9 

A minimal requirement is that open sets [resp. closed sets] form a sup lattice 
[resp. inf lattice]. This is indeed the case: 

Lemma 6.1 If is family of open sets, define \/ i Ui = A( (J ie7 Uf); the 

type of open sets with \f and n is a lattice with all set-indexed sups. 

If {Vi)i£i is family of closed sets, define /\ { = <J( Die/ ^»)> the type of closed 

sets with /\ and LI is a lattice with all set-indexed infs. 

However, these lattices are generally speaking not distributive. (We will see a 
way to add distributivity in section 6.1.3.) As a consequence there is no notion 
of point in basic topology. 10 

9 No mistakes: a formal open is closed in the sense of A; and a formal closed is open in the 
sense of J\ See [35] for the justification. 

10 More precisely, without distributivity the notion of a point cannot be distinguished from 
that of a closed subset! 
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6.1.2 Formal continuity 


See [15] for details. 

Since a continuous function from ( Si to (S 2 ■ A 2 ,J 2 ) should map open 

sets in (S 2 , A 2 , J2) to open sets in it cannot be represented directly 

by a function from S 2 to Si. A continuous function has to be represented by 
a relation between Si and S 2 . If f C Si x S 2 represents such a continuous 
function, the intuitive, concrete meaning of (si . s 2 ) e f is thus “% C / _1 (s2)”, 
where si and s 2 are basic opens. 

Definition 19 If (Si, Ai, J\) and (S 2 , A 2 , J 2 ) are basic topologies, and R a 
relation between Si and S 2 ; R is continuous if the two conditions hold: 

1. R~(A 2 (V))cAi(R~(V)); 

2. R(Ji(U))cj 2 (R(U)). 

Equivalent characterizations are listed in [15]. It is worth noting that the two 
conditions are in general independent. 

By definition, two continuous relations R and T from Si to S 2 are (topo¬ 
logically) equal if .4(_R~S2) = A(T r ' J s 2 ) for all s 2 € S 2 . The main purpose of 
this definition is to remove dependency on the specific “base” of the topology 
considered. 

Basic topologies and continuous relations with topological equality form a 
category which is called BFTop. 

6.1.3 Convergent basic topologies 

See [36] for details. 

The above structure still lacks many properties found in “real” topologies; in 
particular, the binary infimum need not distribute over arbitrary suprema. One 
way to get distributivity is to add the following condition on the operator A: 

Definition 20 Let A be a closure operator on a set S; write U [V for the 
subset {s | (3s' e U) s e A{s'} and (3s" e V) s e -4{s"}}. We say that A is 
convergent if the following holds: 

s e A(U) s e A(V) 
s e A(U i V) 

This condition is sometimes called summability of approximations: it gives a 
way to compute the intersection of two open sets from their representatives. If 
U and V represent the two open sets A(U) and A(V), 11 then U(V represents 
the intersection .4.(17) fl A(V). 

Lemma 6.2 If (S, A, J) is a convergent basic topology, then its lattice of open 
sets is distributive. 

Proof: For any U C S, define = {s 6 S \ (3s' e 17) s e A{s'}}. We have 

u iv = u^ nv i . 

n It is a trivial observation that a subset is open iff it is of the form A(U). 
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Let U be an open set and (Vj)i £ i a set-indexed family of open sets; i.e. we 


have U = A(U) and V t = A(Vi) for all i € I. 

V&unVi 

= { U and the Vi’s are open } 

Viei-A{U) C\ A(Vi) 

= {convergence} 

\/iejA(U i Vi) 

= { definition of V and easy lemma: A (J A = A U } 

"^(Uiei U } Vj) 

= { distributivity of n and |J } 






which completes the proof that open sets do indeed form a frame. 


□ 


Traditionally, formal topologies are also equipped with a positivity predicate 
called Pos. Its intuitive meaning is “s e Pos iff s is non-empty”. This predicate 
was required to satisfy the positivity axiom: (where u + = u n Posj 


s e >1(17+) 


seA(U) 


which means that only positive opens really contribute to the topology. 

The positivity predicate is now defined from J: Pos = J(S), and the 
positivity axiom is not required anymore. (Though it will hold in all examples 
with a real topological flavor.) 

In a convergent basic topology, we can define the notion of point: (see [15]) 

Definition 21 Let (S, A, J) be a convergent basic topology; a subset a C S is 
said to be a point if: 

1. a is closed: a = J(oi); 

2. a is non-empty: a 0 a; 

3. a is convergent: si e a, s^ e a => {si} { {S2} 0 a- 

6.2 The topology of an interaction structure 

Interaction structures can be viewed as an “interactive” reading of the notion 
of inductively generated topology. 
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6.2.1 Basic topology 


Recall that if w = ( A,D,n ) is an interaction structure on S, propositions 4, 5 
and 2 guarantee that: 

• w* * is a closure operator on the subsets of S-, 

• w^ 00 is an interior operator on the subsets of S. 


We also have the execution formula (page 29): 


w*(U) Q 


As a result, we put: 

Definition 22 If w is an interaction structure on S, define: 

A W (U) 4 W *(U) ; 

J W (U) = w^°°(U) . 


°» 

\V) 


We have: 

Lemma 6.3 If w : S —*• Fam 2 (S). then ( S,A W ,J W ) is a basic topology. 


In [9], the authors use the notion of axiom set to inductively generate a 
formal cover. The difference between axiom sets and interaction structures is 
merely that an axiom set is an element of the type S —> Fam ( Povj(S)') that 
was mentioned on page 20. 

If we look at the rules used to generate <!«,, i.e. for w*, we obtain: 
seU 

s e A(U) 


a G A(s) (Vd G D(s, a)) (n{s, a, d ) e A{U)) 

• --- CALL. 

s e A(U) 

Those correspond exactly to the reflexivity and infinity rules used in [9] to 
generate the cover “<”. 


6.2.2 Continuous relations revisited 

We argued above that (generated) basic topologies and interaction structures 
are the same notions with different intuitions. We will now lift the notion of 
continuity to the realm of interaction structures. The result is that in basic 
topology, continuous relations are exactly general simulations (proposition 12 
and lemma 6.5). 

Before anything else, let’s prove a little lemma about the J operator: 

Lemma 6.4 Suppose Wh and wi are interaction structures, and R is a general 
simulation of Wh —> wi. Then R~ ■ JifV) C J h ■ R~{V) for all V C Si- 

Proof: Suppose that V C Si, ( Sh,si ) e R and s; e Ji(V); we need to show 
that St,, e J h (R~{V)). Since Jh(R~ (P)) is the greatest fixpoint of the operator 
(i?~(V)) D w ± ( ), it suffices to show that Sh is in a pre-fixpoint of the same 
operator. We claim that R~(V) is such a pre-fixpoint: 
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• sh e i?~(V) because ( sh,si) e R and sj e Ji(V) C V ; 

• fT'(F) C R~(V): 

• R~(V)Cw±(R~(V)): 

let s h G R~(V) and a h G A h (s h ); we need to find a 4 G D h (s h ,a h ) 
s.t. s/Ja/j/dh] e iT'(V'). 

By lemma 5.3, we know that si e Ai ( \J dh R(sh[ah/dh])), and because 
si e Ji(V ), we can apply the execution formula to obtain a final state 
s 'i e Ud h R{sh[ah/dh\) D Ji(V). In particular, there is a 4 G D h (sh,ah ) 
such that s[ e R(sh[a,h/dh ]). 

Since s[ e Ji{V) C V, it implies that Sh[a,h/dh] e R~(V). 

□ 

With this new lemma, it is easy to prove the following: 

Proposition 12 Let Wh and wi be two interaction structures, let R be a relation 
between Sh and Si; R is a general simulation Wh —* wi iff R^ is a continuous 
relation from ( Si,Ai,Ji ) to ( Sh,Ah,Jh )• 

Proof: Suppose first that i?~ is continuous; the definition implies in particular 
that R(Ah(U)) C Ai(R(U)) for all U C Sh- By lemma 5.3, this implies that R 
is a general simulation from Wh to W(. 

The converse is a direct application of lemma 5.3 and lemma 6.4. □ 

The category of basic topologies and continuous relation BFTop has a no¬ 
tion of equality which is more subtle (though coarser) than plain extensional 
equality of relations. Transposing it in our context we get: R « Q if and only 
if yl(i?(s ft )) = -4(Q(» fc )) ^ all s h G S h . 

Lemma 6.5 If R and Q are simulations, then R and Q are topologically equal 
iff their saturations are extensionally equal. (R and Q have the same potential, 
see page 37.) 

6.2.3 Topological product 

In section 4.6, we introduced a notion of binary “angelic tensor”, morally cor¬ 
responding to the union of several interaction structures. This operation was 
already defined in [9] (and probably in other places) as the product topology. 
In particular, we have the two continuous projection relations. 

Lemma 6.6 Ifw i and w-2 are two interaction structures, then the two following 
relations 

• 7r 1 = {( Sl ,(s 1 ,s 2 ))G5 1 x(5 1 x5 2 )}; 

• 7T2 = {(« 2 , (si, s 2 )) eS 2 x (Si x Sa)} 

are (linear) simulations from w t to w± © w 2 (for i = 1,2); and a fortiori are 
morphisms in all the categories considered. 

If one interprets the sets S\ and S 2 as (pre)bases, and < are the covering rela¬ 
tion; it is clear that this corresponds indeed to the usual product of topologies. 
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To make this statement precise would require a deeper analysis of continuous 
relations in the context of convergent topologies. 12 


6.2.4 Extending the execution formula 

The definition of basic topology places few constraints on the A and J operators. 
Compatibility is a very weak requirement. On the other hand, the A w and J w 
generated from an interaction structure w have a lot in common. In particular, 
classically, A^, and J w are dual: C , A w = J w ) C; and the positivity axiom is 
classically always true! It is thus natural to ask whether we can extend our 
interpretation to take into account more basic topologies. It is possible if we 
use different interaction structures to generate the A and the J : 

Proposition 13 Suppose that R is a simulation of ( Sh,Wh ) by (Si, W[). Then 

1. (R) ■ Ji • [i?~] is an interior operators on Pow(Sh); 

2. Ah is compatible with {R) ■ Ji ■ [i?~]. 

i.e. (Sh , Ah , (R) ■ Ji ■ [i2~]) is a basic topology. 

Proof: First point: (R) ■ Ji ■ [i?~] is an interior operator: 

. (R) • J ■ [R~m C (R) ■ [R~](U) C u 

(R) • J ■ (R-](U) C V 
[IT] ■ (R) ■ Jt ■ [ir](I7) C [ir](F) 

{ since V C [JJ~] • (R)(U) } 

Jt ■ [R~m C [R~](V) 

{J, is an interior operator} 

Ji ■ [iT}(£/) C J • (R~](V) 

{R> ■ Ji ■ [ir](I0 c (R) ■ j ■ [ir](y) 

This completes the proof that i?~ • Ji ■ [i?~] is an interior operator. 

Second point: (R) ■ Ji ■ [i?~] is compatible with Ah- 
Let Sh e Ah(U) and Sh e (R) ■ Ji • [I?~](y), i.e. we have an s[ s.t. ( Sh,s \) e R 
and s\ e Ji ■ [i?~](V). In particular, s( e R.(Ah(U)) and so s[ e A/ (R.(U)) by 
lemma 5.3. 

We can apply the execution formula in to obtain a final state s" e (R)(U) 
s.t. s'/ e Ji ■ [iZ~](V), i.e. there is an s' h e U s.t. (s' h ,s'/) e R, which imphes that 
s' h e(R)-J-lR~](V). 

a 

An interactive reading is that for interaction to take place, the Angel and 
Demon do not need to use exactly same dialect. If the Angel uses Wh and the 
Demon uses Wi, the Demon needs to interpret actions in Wh in terms of actions 
in wi, and the Angel needs to interpret reactions in wi in terms of reactions in 

12 i.e. one wants to prove that 0 is a cartesian product in the category of “localized interac¬ 
tion structures” (see definition 24 on page 46) with “convergent and total” general (see [15]) 
simulations. 
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Wh, i.e. we need to have a simulation from Wh to wi- Note that because of the 
respective roles of the Angel and Demon, one never needs to translate actions 
from the Demon or reaction from the Angel. 

In [42], Silvio Valentini investigates the problem of “completeness” of induc¬ 
tively generated topologies. It might be interesting to investigate the operation 
described above in this context. 

6.3 Localization and distributivity 

The basic topology obtained from an interaction structure is not in general dis¬ 
tributive. One way to obtain distributivity is to add a condition of convergence 
(page 40). In [9], the authors introduce the notion of “localized” axiom set 
which gives rise to convergent basic topologies, i. e. formal topologies. 

If w = ( A , D, n) is an interaction structure, a preorder < on S is said to be 
localized if the following holds: 

S '< S ,aGA( S ) =* s'ewf 1J {s[a/d)}l{s'} 

\deD(s,a ) 

This implies in particular that > is a linear simulation. 

Suppose that < is localized; if we extend the generating rules with 
s' eU s < s' 

- <-compat. 

s e A(U) 

then the resulting lattice is distributive: this is one of the results of [9]. (The 
rules were slightly more complex because they had to consider the positivity 
predicate and the positivity axiom). Note that since < is a preorder —and as 
such, reflexive— this rule is a generalization of the reflexivity rule. 

The preorder is intended to represent a priori the notion of inclusion between 
basic opens. The smallest interesting preorder to consider is the following: 
“s < s' iff s c A. {s'}” . This preorder is the saturation of the identity and it 
appears implicitly in the definition of convergence. 

The rest of this section is devoted to an analysis of the notion of localization 
in the context of interaction structures, together with a tentative computational 
interpretation. It culminates with an interpretation of the notion of formal 
points in terms of server programs. 

6.3.1 Interaction structure with self-simulation 

The first step is to add a preorder on states, and to require it to be well-behaved 
with respect to its parent interaction structure. 

Definition 23 An interaction structure with self-simulation on S is a pair 
(w, R ) where 

• w is an interaction structure on S; 

• R is a general simulation from w to itself. 
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Lemma 6.7 If R is a simulation from w to itself, then so is the reflexive tran¬ 
sitive closure of R. 

Proof: This is a direct consequence of the following facts: identities are sim¬ 
ulations, simulations compose (proposition 8) and simulations are closed under 
unions (proposition 7). 

□ 

As a result, without loss of generality we can assume the self-simulation to be a 
preorder, and we call it “>”, with converse <. The meaning of “s < s '” is thus 
“s simulates s' in w”. We write {s}+ for the segment (s >) (or (< s)) below 
s g S, and £/+ for the downclosure (<}(U) of U : Pow(S). 

We have: 

Lemma 6.8 s < V implies {s}^ < FA 

Proof: This is just an application of proposition 6. □ 

Two extreme examples of such self simulations are: 

• the empty relation, or the identity (its reflexive/transitive closure). This 
is isomorphic to the case of normal interaction structures. 

• R = ( J W {S ) x S) U (S x A„(0)). The intuition is that (sd, sa) e R iff the 
Demon can avoid deadlocks from sd or the Angel can deadlock the Demon 
from sa - 13 Classically, this can be shown to be the biggest simulation 
( i.e. it is the union of all simulations) on an interaction structure and 
a fortiori, we have R= R* = R*. 

Remark. The second example can be seen as a constructive contrapositive of the 
following fact: 

Lemma 6.9 Let > be a self-simulation on an interaction structure ( A, D, n) on S; 
suppose that s < s' (s simulates s'); we have: 

• if the Demon can avoid deadlocks from s' then he can also avoid deadlocks 
from s (i.e. s'kS=>sK S); 

• if the Angel can drive the Demon into a deadlock from s', then she can do it 
from s (i.e. s’ < 0 => s < 0j. 

Classically, the two points are equivalent. 

The second simulation is (classically) equivalent to the one defined from those prop¬ 
erties (i.e. (s, s') e R iff s' < 0 =>- s <1 0 iff s' X S =>- s X 5). 

6.3.2 Interaction structures and localization 

We now investigate the result of strengthening the condition to get full local¬ 
ization. 

Definition 24 Let ( w, >) be an interaction structure with self simulation on S; 
we say that ( w, >) is localized if the following holds: 

si < s 2 , a 2 e A(s 2 ) => si <U U {s 2 [a 2 /d 2 }} | {si} . 

d 2 eD( S2 ,a 2 ) 

13 A Demon deadlock is a pair (s, a) such that D(s, a) = 0. 
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This condition is slightly more general than the one from [9] in the sense that it 
considers general simulations rather than linear ones. Note also that in contrast 
to the notion of convergence from definition 20, this definition doesn’t require 
equality: {s}^ is defined in terms of <. 

First, we need a lemma. 

Lemma 6.10 Suppose (w, >) is localized on w; then we have: 

s x < s 2 , <4 € -A*(s 2 ) =k si U M4/41H {«.}■ 

d' 2 eD»(s 2 ,a' 2 ) 

This means that the additional condition is well behaved with respect to the 
RTC operation. (This is analogous to point 3 of lemma 5.3; and indeed, the 
proof is very similar.) 

Proof: Suppose that si < s 2 and let a' 2 £ A*(s 2 ). We work by induction on 
the structure of a 2 . 

• if a 2 = EXIT, this is trivial. 

• if a 2 = CALL(a 2 , fc 2 ): by localization, we know that 

si U {«2[a 2 /rf 2 ]> i {si} . 

d.2 

Let s'i e \J d2 {s 2 [a 2 /d 2 )} l {si}, in particular s', < s 2 [a 2 /d 2 ] for some 
d 2 £ T ) 2 (s 2 , a 2 ). We can apply the induction hypothesis for s', < s 2 [a 2 /d 2 ] 
and fc 2 (d 2 ) to obtain: 

si < U {s2[a 2 /d2\ [fc 2 (d 2 )/4]} I {si} • 

<U l eD*( S2 [ a2 /d2)M(<h)) 

We have Ud'er>*( S2 [a 2 /d 2 ],fe 2 (rf 2 )) S U4 e z3*( S2 ,a') and i 5 !} 1 S {si} 1 (be¬ 
cause s'i < si), which implies that the right hand side is thus included in 
\Jd' 2 eD»( S2 ,a' 2 ) {s 2 [a 2 /d 2 ]} l {si}. By monotonicity, we get 

|J{s 2 [a 2 /d 2 ]}!{si} < U • 

d 2 46D*(s2,o^) 

We get the result by transitivity. 

□ 

Lemma 6.11 If (w, >) is a localized interaction structure, then s <U implies 
s<Ui{s}. 

Proof: Let s < U, i.e. there is a a' in ^4*(s) s.t. U d'eD*( s ,a') {s[a'/d'}} C U. 
Since < is reflexive, and by the previous lemma, we know that 

s<(J{s[a'/d']}|{s} • 

The RHS is obviously included in U l {s}, so we get the result by monotonicity. 

□ 
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Corollary 4 If ( w , >) is a localized interaction structure, then U < V implies 
U<U{V. 

We will now check that convergence is satisfied for such a (S, A w , <). 

Proposition 14 If (w, >) is a localized interaction structure, then s < U and 
s < V jointly imply s <U [V. 

Proof: By lemma 6.11, we know that s <3 U } {s}. By lemma 6.8 we know 
that {.s}' < pf, which implies U J. {s} < V 1 : which (by corollary 4) imphes 
(Ul{s})i<Vi(Ul{s}). 

Since we have (U J. V)^ = U J. V, we can deduce that 

s < Ui{s} < U [V [ {s} C U |P. 

□ 

However, strictly speaking, the proof of lemma 6.2 doesn’t apply to the 
preorder context. Instead, we have to match the operator generated by adding 
the <-compat rule ( on page 45), and define: 

Definition 25 if (w. <) is an interaction structure with self simulation, we 
write A w ,< for the predicate transformer U i—» A w (?/■*•), where is the down- 
closure of U, i.e. CM = {s | (3s' eU) s < s'}. 

The intuition is quite straightforward: if s' can simulate a state s (s' < s) 
in U, then s' is “virtually” in U as well. This is way to say that our notion of 
simulation is semantically a real simulation. 

Corollary 5 If w is an interaction structure and < a localized preorder on S; 
then the collection of open sets (i.e. the collection of U s.t. U = A W ,<(U)) is 
distributive. 

6.3.3 Computational interpretation 

In the last section we merely transposed the definitions from [9] to the context 
of interaction structures. It is not however obvious how to make computational 
sense of these definitions. We now present an analysis of the localization in 
computational terms. The key idea is that to interpret localization, one needs 
to adopt the perspective of the Demon (server, x operator), rather than that 
of the Angel (client, < operator). 

For example, the computational content of lemma 6.11 is that it is possible 
for the Angel to conduct interaction in such a way that the behavior of the start¬ 
ing state can always be recovered by simulation. The Angel takes care that she 
can at any point change her mind, and abandon the current computation. An 
example of a command which one would not have in such a system is “Reset”, 
a command to brings the whole system back to factory settings. This would lose 
all information about previous interactions, which is not possible in a localized 
structure. 

Thus, localization is a strong condition on interaction structures, requiring 
them to be exceptionally well behaved. 
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Remark. Note that the notion of “localization” for a game has little to do with 
the notion of backtracking present in [7], where a game-theoretical interpretation of 
classical logic is presented. 

That the Angel is allowed to backtrack means that the Angel can “go back in the 
past”. If the game is localized, then the Angel does not return to a previous state, but 
plays in the current state “as if it were” the previous state. In particular, the Angel 
retains the right to make moves in the current state. 

There is a problem with interpreting the proof of proposition 14: a non-canonical 
choice was made. In the proof, we decided to first execute the client correspond¬ 
ing to s < U, and then the client corresponding to s < V on top of it. The 
opposite works just as well: 

a < V | {s} < ViUi{s} C VIU. 

The two different witnesses for s < U j V may be quite different in terms of 
execution! Here is what happens in graphical terms: 

U + n v-*- U^C l V 1 2 3 4 

V, V 


s 

On the left are the two client programs witnessing s < U and s < V; and on 
the right, the two different programs witnessing s < U J. V. 

Even worse, when the programs corresponding to s < U and s < V are 
non-trivial, we could interleave the programs before reaching U [V\ 

To give computational sense to the notion of localization, consider a server 
interacting with clients. We allow ourselves a degree of anthropomorphism, by 
referring to what these parties “believe”. 

Think of the self-simulation > as a relation between “visible” or “virtual” 
states for the client(s) and “internal” server states. Because this is a (general) 
simulation, it is guaranteed that we can conduct interaction in the following 
way: 

1. if s' < s, i.e. the Angel believes the Demon is in a state s, but internally, 
the Demon is really in a state s' that simulates s; 

2. the Angel sends a request a G A(s); 

3. the Demon does the following: 

(a) translates the a G A(s) into a a' G A*(s') (by simulation), 

(b) responds to a' with ad' G D*{s', a') (because it is a server program), 

(c) and translate this answer d' into a d G D(s. a) (by simulation); 

4. The Angel receives the answer d G D(s, a); 
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5. the Angel now believes the new state is n(s, a, d) while internally, the 
Demon is really in state n*(s', a', d') < n(s, a , d) that simulates n(s, a , d); 

In particular, after the last point, the Angel can continue interaction. 

Localization can then be seen as the following requirement: suppose the 
server is internally in a state s and that there are two clients who respectively 
believe it is in state sq and S2- The two clients can send their requests and the 
server respond to them (as above) in any order. Suppose the server first responds 
the first client. Then at point (a) in the analysis of client-server interaction 
above, the server can chose some o' which is constrained to bring about a state 
s'[a'/d'] < si[ai/di] (like above) and s'[a'/d'] < s (by localization). The first 
condition allows the first client to continue interaction, while the second point 
(localization) guarantees that the server can also answer requests to the second 
client (because s'[a'/d'\ < s < S2)... 

In other words, that an interaction structure is equipped with a localized 
self-simulation means that we can construct “concurrent virtual servers” with 
which several clients can interact independently. 

One way to localize any interaction structure on S is the following: define 
L(tu) on Fin(S) 14 as 


L(u;).A({ Si |ie/}) 

L (w).D({si I i 6/},(*,a)) 
L(tu).n({s» | i e 1}, (i,a),d) 


= (E iel)w.A(si) 

= w .D( Si ,a) 

= {| ieI}U{s[a/d\} 


with reverse inclusion as simulation order. (To define the inclusion order be¬ 
tween families of states of course requires there to be an equality relation be¬ 
tween states.) This interaction structure (L(to),>) is automatically localized. 

The idea is simply that the Demon keeps a log of all the previous states 
visited during interaction, so that he can use any “past” state as the current 
one. 


Remark. To get a situation which is even closer to “real life”, one can define a 
simulation R : w —> L(te) with (s,l) e R iff “s e l” and use the extension from 
section 6.2.4 to interpret interaction. 

The idea is that the Demon advertizes a service specified by the interaction struc¬ 
ture w, but internally implements L(iu) in order to deal with concurent requests. The 
clients are only supposed to use interface w. 


Points. Now that the notion of localized interaction structure (aka formal 
topology) has a computational interpretation, we can look at the notion of 
formal point. Recall that a formal point in a formal topology on S' is a subset 
a C S such that (see [15]) 

• a is closed; 

• a is non-empty (a 0 a); 

• a is convergent, i.e. sea and s' e a imply that .s } s' § a. 

14 where Fin(S) is the collection of finite subsets of S. Finite subsets are represented by 
families indexed by a finite set (i.e. an integer). 
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We have already described the computational interpretation of a closed sub¬ 
set in section 4.5: the closed subset J(V) is a specification for a server program 
that can maintain V . 15 That it is non-empty means that we actually have a 
proof that s K a for some s, i.e. that we have a server program maintaining V 
(from some specific state s). 

Thus, a point is nothing more than a specification for a server program that 
satisfies 

• if Si e a (a client may connect in state s*) 

• and if s 2 e a (a client may connect in state S 2 ) 

• then there is a(n internal) state s that simulates both si and s 2 (since 
s e Si J. s 2 ) such that sea. In other words, the server can find an internal 
state which will allow it to respond to both si and s 2 . 

Formal points are thus “coherent” server program specifications in the sense 
that they can satisfy any finite number of “unrelated” concurrent clients. 

Continuous maps. A relation R between two localized interaction structures 
Wh and wi is called a continuous map if we have (see [15]): 

• R is a general simulation from Wh to Wi ; 

• R is total: Si <I WI ,< R(Sh); 

• i?(si) l R(s 2 ) <w u < R{S1 l S 2 ). 

Similar interpretation can be devised for continuous maps as for formal points, 
but the relevance of this interpretation in terms of actual client/server program¬ 
ming is still unclear. We prefer to leave the matter open for the time being. 

7 Conclusion, and questions raised 

We hope to have shown that much of basic topology has a natural interpretation 
in programming terms. On reflection this is not surprising: programming is 
essentially about “how to get there from here”, and this is a notion with a 
topological flavor. 

Our study of interaction structures began with the intention of clarifying 
monotone predicate transformers such as those which model specifications in 
imperative programming. We have defined a category in which the objects 
represent command-response interfaces, and the morphisms represent program 
components that implement one (higher-level) interface “on top of” other (lower- 
level) interfaces. The category coincides with the category of basic spaces and 
continuous relations. Closure and interior operators are related to server pro¬ 
grams and client programs, and continuous maps to simulations of one server 
“on top of” another. We have tentatively proposed a computational interpre¬ 
tation of those notions of formal topology connected with convergence, and 
particularly the notion of point. 

15 It is straightforward to extend the J operator to the case of interaction structures with 
self simulations: J W ,<(V) = J W (V^). 
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We would also like to find topological counterparts of fundamental com¬ 
putational notions. For example, safety properties are essentially the same as 
closed sets; but what about fairness properties? For another example we have 
seen that the notion of forward data refinement in programming is connected 
with the notion of continuity (at least at the level of basic topology). From the 
computer science literature, it is known that both forward data refinement and 
backward data refinement are required for refinement of abstract data types 
(see for example [13]). Similar completeness properties hold in approaches to 
refinement based on functions and auxiliary variables rather than relations (see 
for example the use of history and prophecy variables as in [1]). It seems in¬ 
teresting therefore to ask whether backward simulation or the use of prophecy 
variables has a topological interpretation. 

Another line of work concerns the model of classical linear logic presented 
in [23], 

Finally, one hopes that the use of dependent theory type permits the expres¬ 
sion of interface specifications with full precision —that is, going beyond mere 
interface signatures. This might serve as a foundation for designing compo¬ 
nents in real programming languages. Tools to aid design might be built on this 
foundation. However examples of interfaces and simulations are needed both to 
ensure that our model properly captures important properties of interfaces, and 
also to find ergonomically smooth ways of working with simulations. 
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